Guide to the Secure Configuration of Oracle Linux 8
with profile DISA STIG for Oracle Linux 8This profile contains configuration checks that align to the DISA STIG for Oracle Linux 8 V1R7.
https://www.open-scap.org/security-policies/scap-security-guide
scap-security-guide package which is developed at
https://www.open-scap.org/security-policies/scap-security-guide.
Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.
Evaluation Characteristics
| Evaluation target | 83940eb112a0 |
|---|---|
| Benchmark URL | #scap_org.open-scap_comp_ssg-ol8-xccdf.xml |
| Benchmark ID | xccdf_org.ssgproject.content_benchmark_OL-8 |
| Benchmark version | 0.1.69 |
| Profile ID | xccdf_org.ssgproject.content_profile_stig |
| Started at | 2023-12-18T23:47:53+00:00 |
| Finished at | 2023-12-18T23:47:57+00:00 |
| Performed by | root |
| Test system | cpe:/a:redhat:openscap:1.3.8 |
CPE Platforms
- cpe:/o:oracle:linux:8
Addresses
- IPv4 127.0.0.1
- IPv4 172.17.0.2
- MAC 00:00:00:00:00:00
- MAC 02:42:AC:11:00:02
Compliance and Scoring
Rule results
Severity of failed rules
Score
| Scoring system | Score | Maximum | Percent |
|---|---|---|---|
| urn:xccdf:scoring:default | 80.615921 | 100.000000 |
Rule Overview
Result Details
Install AIDE
Build and Test AIDE Database
| Rule ID | xccdf_org.ssgproject.content_rule_aide_build_database |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 11.5.2, SRG-OS-000445-GPOS-00199, OL08-00-010359, SV-252654r880573_rule |
| Description | Run the following command to generate a new database:
$ sudo /usr/sbin/aide --initBy default, the database will be written to the file /var/lib/aide/aide.db.new.gz.
Storing the database, the configuration file /etc/aide.conf, and the binary
/usr/sbin/aide
(or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity.
The newly-generated database can be installed as follows:
$ sudo cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gzTo initiate a manual check, run the following command: $ sudo /usr/sbin/aide --checkIf this check produces any unexpected output, investigate. |
| Rationale | For AIDE to be effective, an initial database of "known-good" information about files
must be captured and it should be able to be verified against the installed files. |
Configure AIDE to Verify the Audit Tools
| Rule ID | xccdf_org.ssgproject.content_rule_aide_check_audit_tools |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-001496, AU-9(3), AU-9(3).1, SRG-OS-000278-GPOS-00108, OL08-00-030650, SV-248810r880559_rule |
| Description | The operating system file integrity tool must be configured to protect the integrity of the audit tools. |
| Rationale | Protecting the integrity of the tools used for auditing purposes is a
critical step toward ensuring the integrity of audit information. Audit
information includes all information (e.g., audit records, audit settings,
and audit reports) needed to successfully audit information system
activity.
Audit tools include but are not limited to vendor-provided and open-source
audit tools needed to successfully view and manipulate audit information
system activity and records. Audit tools include custom queries and report
generators.
It is not uncommon for attackers to replace the audit tools or inject code
into the existing tools to provide the capability to hide or erase system
activity from the audit logs.
To address this risk, audit tools must be cryptographically signed to
provide the capability to identify when the audit tools have been modified,
manipulated, or replaced. An example is a checksum hash of the file or
files. |
Configure Notification of Post-AIDE Scan Details
| Rule ID | xccdf_org.ssgproject.content_rule_aide_scan_notification |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R51), 1, 11, 12, 13, 15, 16, 2, 3, 5, 7, 8, 9, BAI01.06, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, SR 6.2, SR 7.6, A.12.1.2, A.12.4.1, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, CM-6(a), CM-3(5), DE.CM-1, DE.CM-7, PR.IP-1, PR.IP-3, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, OL08-00-010360, SV-248573r902806_rule |
| Description | AIDE should notify appropriate personnel of the details of a scan after the scan has been run.
If AIDE has already been configured for periodic execution in /etc/crontab, append the
following line to the existing AIDE line:
| /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhostOtherwise, add the following line to /etc/crontab:
05 4 * * * root /usr/sbin/aide --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhostAIDE can be executed periodically through other means; this is merely one example. |
| Rationale | Unauthorized changes to the baseline configuration could make the system vulnerable
to various attacks or allow unauthorized access to the operating system. Changes to
operating system configurations can have unintended side effects, some of which may
be relevant to security.
Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item. |
Configure AIDE to Verify Access Control Lists (ACLs)
| Rule ID | xccdf_org.ssgproject.content_rule_aide_verify_acls |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | low |
| Identifiers and References | References: BP28(R51), 2, 3, APO01.06, BAI03.05, BAI06.01, DSS06.02, CCI-000366, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, A.11.2.4, A.12.2.1, A.12.5.1, A.14.1.2, A.14.1.3, A.14.2.4, SI-7, SI-7(1), CM-6(a), PR.DS-6, PR.DS-8, SRG-OS-000480-GPOS-00227, OL08-00-040310, SV-248897r880561_rule |
| Description | By default, the acl option is added to the FIPSR ruleset in AIDE.
If using a custom ruleset or the acl option is missing, add acl
to the appropriate ruleset.
For example, add acl to the following line in /etc/aide.conf:
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default. The remediation provided with this rule adds acl to all rule sets available in
/etc/aide.conf |
| Rationale | ACLs can provide permissions beyond those permitted through the file mode and must be
verified by the file integrity tools. |
Configure AIDE to Verify Extended Attributes
| Rule ID | xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | low |
| Identifiers and References | References: BP28(R51), 2, 3, APO01.06, BAI03.05, BAI06.01, DSS06.02, CCI-000366, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, A.11.2.4, A.12.2.1, A.12.5.1, A.14.1.2, A.14.1.3, A.14.2.4, SI-7, SI-7(1), CM-6(a), PR.DS-6, PR.DS-8, SRG-OS-000480-GPOS-00227, OL08-00-040300, SV-248896r780254_rule |
| Description | By default, the xattrs option is added to the FIPSR ruleset in AIDE.
If using a custom ruleset or the xattrs option is missing, add xattrs
to the appropriate ruleset.
For example, add xattrs to the following line in /etc/aide.conf:
FIPSR = p+i+n+u+g+s+m+c+acl+selinux+xattrs+sha256AIDE rules can be configured in multiple ways; this is merely one example that is already configured by default. The remediation provided with this rule adds xattrs to all rule sets available in
/etc/aide.conf |
| Rationale | Extended attributes in file systems are used to contain arbitrary data and file metadata
with security implications. |
Audit Tools Must Be Group-owned by Root
| Rule ID | xccdf_org.ssgproject.content_rule_file_audit_tools_group_ownership |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-001493, CCI-001494, CCI-001495, AU-9, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, OL08-00-030640, SV-248809r779993_rule |
| Description | Oracle Linux 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools.
Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.
Audit tools must have the correct group owner. |
| Rationale | Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data.
Therefore, protecting audit tools is necessary to prevent unauthorized operations on audit information. |
Audit Tools Must Be Owned by Root
| Rule ID | xccdf_org.ssgproject.content_rule_file_audit_tools_ownership |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-001493, CCI-001494, CCI-001495, AU-9, SRG-OS-000256-GPOS-00097, SRG-OS-000257-GPOS-00098, SRG-OS-000258-GPOS-00099, OL08-00-030630, SV-248808r779990_rule |
| Description | Oracle Linux 8 systems providing tools to interface with audit information will leverage user permissions and roles identifying the user accessing the tools, and the corresponding rights the user enjoys, to make access decisions regarding the access to audit tools.
Audit tools include, but are not limited to, vendor-provided and open source audit tools needed to successfully view and manipulate audit information system activity and records. Audit tools include custom queries and report generators.
Audit tools must have the correct owner. |
| Rationale | Protecting audit information also includes identifying and protecting the tools used to view and manipulate log data.
Therefore, protecting audit tools is necessary to prevent unauthorized operations on audit information. |
Enable Dracut FIPS Module
| Rule ID | xccdf_org.ssgproject.content_rule_enable_dracut_fips_module |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | high |
| Identifiers and References | References: CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, OL08-00-010020, SV-248524r877398_rule |
| Description | To enable FIPS mode, run the following command:
fips-mode-setup --enableTo enable FIPS, the system requires that the fips module is added in dracut configuration.
Check if /etc/dracut.conf.d/40-fips.conf contain add_dracutmodules+=" fips " |
| Rationale | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. |
| Warnings | warning
The system needs to be rebooted for these changes to take effect. warning
System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications.
FIPS-140 is applicable to all Federal agencies that use cryptographic-based security
systems to protect sensitive information in computer and telecommunication systems
(including voice systems) as defined in Section 5131 of the Information Technology
Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing
and implementing cryptographic modules that Federal departments and agencies operate or are
operated for them under contract.
See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf
To meet this, the system has to have cryptographic software provided by a vendor that has
undergone this certification. This means providing documentation, test results, design
information, and independent third party review by an accredited lab. While open source
software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to
this process. |
Enable FIPS Mode
| Rule ID | xccdf_org.ssgproject.content_rule_enable_fips_mode |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | high |
| Identifiers and References | References: CCI-000068, CCI-000803, CCI-002450, 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-3(6), SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, FCS_RBG_EXT.1, SRG-OS-000478-GPOS-00223, SRG-OS-000396-GPOS-00176, OL08-00-010020, SV-248524r877398_rule |
| Description |
To enable FIPS mode, run the following command:
fips-mode-setup --enable The fips-mode-setup command will configure the system in
FIPS mode by automatically configuring the following:
|
| Rationale | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. |
| Warnings | warning
The system needs to be rebooted for these changes to take effect. warning
This rule DOES NOT CHECK if the components of the operating system are FIPS certified.
You can find the list of FIPS certified modules at
https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search.
This rule checks if the system is running in FIPS mode. See the rule description for more information about what it means. |
Set kernel parameter 'crypto.fips_enabled' to 1
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_crypto_fips_enabled |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | high |
| Identifiers and References | References: CCI-000068, CCI-000803, CCI-000877, CCI-001453, CCI-002418, CCI-002450, CCI-002890, CCI-003123, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-12(2), SC-12(3), IA-7, SC-13, CM-6(a), SC-12, SRG-OS-000033-GPOS-00014, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000396-GPOS-00176, SRG-OS-000423-GPOS-00187, SRG-OS-000478-GPOS-00223, OL08-00-010020, SV-248524r877398_rule |
| Description | System running in FIPS mode is indicated by kernel parameter
'crypto.fips_enabled'. This parameter should be set to 1 in FIPS mode.
To enable FIPS mode, run the following command:
fips-mode-setup --enableTo enable strict FIPS compliance, the fips=1 kernel option needs to be added to the kernel boot parameters during system installation so key generation is done with FIPS-approved algorithms and continuous monitoring tests in place. |
| Rationale | Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to
protect data. The operating system must implement cryptographic modules adhering to the higher
standards approved by the federal government since this provides assurance they have been tested
and validated. |
| Warnings | warning
The system needs to be rebooted for these changes to take effect. warning
System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications.
FIPS-140 is applicable to all Federal agencies that use cryptographic-based security
systems to protect sensitive information in computer and telecommunication systems
(including voice systems) as defined in Section 5131 of the Information Technology
Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing
and implementing cryptographic modules that Federal departments and agencies operate or are
operated for them under contract.
See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf
To meet this, the system has to have cryptographic software provided by a vendor that has
undergone this certification. This means providing documentation, test results, design
information, and independent third party review by an accredited lab. While open source
software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to
this process. |
Configure BIND to use System Crypto Policy
| Rule ID | xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-configure_bind_crypto_policy:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | high |
| Identifiers and References | References: CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, SC-12(2), SC-12(3), SRG-OS-000423-GPOS-00187, SRG-OS-000426-GPOS-00190, OL08-00-010020, SV-248524r877398_rule |
| Description | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
BIND is supported by crypto policy, but the BIND configuration may be
set up to ignore it.
To check that Crypto Policies settings are configured correctly, ensure that the /etc/named.conf
includes the appropriate configuration:
In the options section of /etc/named.conf, make sure that the following line
is not commented out or superseded by later includes:
include "/etc/crypto-policies/back-ends/bind.config"; |
| Rationale | Overriding the system crypto policy makes the behavior of the BIND service violate expectations,
and makes system configuration more fragmented. |
package bind is removed oval:ssg-test_package_bind_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_bind_removed:obj:1 of type rpminfo_object
| Name |
|---|
| bind |
Check that the configuration includes the policy config file. oval:ssg-test_configure_bind_crypto_policy:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_configure_bind_crypto_policy:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/named.conf | ^\s*include\s+"/etc/crypto-policies/back-ends/bind.config"\s*;\s*$ | 1 |
Configure System Cryptography Policy
| Rule ID | xccdf_org.ssgproject.content_rule_configure_crypto_policy |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-configure_crypto_policy:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | high |
| Identifiers and References | References: 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, OL08-00-010020, SV-248524r877398_rule |
| Description | To configure the system cryptography policy to use ciphers only from the FIPS
policy, run the following command:
$ sudo update-crypto-policies --set FIPSThe rule checks if settings for selected crypto policy are configured as expected. Configuration files in the /etc/crypto-policies/back-ends are either symlinks to correct files provided by Crypto-policies package or they are regular files in case crypto policy customizations are applied.
Crypto policies may be customized by crypto policy modules, in which case it is delimited from the base policy using a colon. |
| Rationale | Centralized cryptographic policies simplify applying secure ciphers across an operating system and
the applications that run on that operating system. Use of weak or untested encryption algorithms
undermines the purposes of utilizing encryption to protect data. |
| Warnings | warning
The system needs to be rebooted for these changes to take effect. warning
System Crypto Modules must be provided by a vendor that undergoes
FIPS-140 certifications.
FIPS-140 is applicable to all Federal agencies that use
cryptographic-based security systems to protect sensitive information
in computer and telecommunication systems (including voice systems) as
defined in Section 5131 of the Information Technology Management Reform
Act of 1996, Public Law 104-106. This standard shall be used in
designing and implementing cryptographic modules that Federal
departments and agencies operate or are operated for them under
contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf
To meet this, the system has to have cryptographic software provided by
a vendor that has undergone this certification. This means providing
documentation, test results, design information, and independent third
party review by an accredited lab. While open source software is
capable of meeting this, it does not meet FIPS-140 unless the vendor
submits to this process. |
check for crypto policy correctly configured in /etc/crypto-policies/config oval:ssg-test_configure_crypto_policy:tst:1 false
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/crypto-policies/config | DEFAULT |
check for crypto policy correctly configured in /etc/crypto-policies/state/current oval:ssg-test_configure_crypto_policy_current:tst:1 false
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/crypto-policies/state/current | DEFAULT |
Check if update-crypto-policies has been run oval:ssg-test_crypto_policies_updated:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-variable_crypto_policies_config_file_timestamp:var:1 | 1701106766 |
Check if /etc/crypto-policies/back-ends/nss.config exists oval:ssg-test_crypto_policy_nss_config:tst:1 true
Following items have been found on the system:
| Path | Type | UID | GID | Size (B) | Permissions |
|---|---|---|---|---|---|
| /etc/crypto-policies/back-ends/nss.config | symbolic link | 0 | 0 | 42 | rwxrwxrwx |
Configure GnuTLS library to use DoD-approved TLS Encryption
| Rule ID | xccdf_org.ssgproject.content_rule_configure_gnutls_tls_crypto_policy |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-configure_gnutls_tls_crypto_policy:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-001453, AC-17(2), SRG-OS-000250-GPOS-00093, SRG-OS-000423-GPOS-00187, OL08-00-010295, SV-248566r877394_rule |
| Description | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
GnuTLS is supported by system crypto policy, but the GnuTLS configuration may be
set up to ignore it.
To check that Crypto Policies settings are configured correctly, ensure that
/etc/crypto-policies/back-ends/gnutls.config contains the following
line and is not commented out:
+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0 |
| Rationale | Overriding the system crypto policy makes the behavior of the GnuTLS
library violate expectations, and makes system configuration more
fragmented. |
tests the presence of '+VERS-ALL:-VERS-DTLS0.9:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0' setting in the /etc/crypto-policies/back-ends/gnutls.config file oval:ssg-test_configure_gnutls_tls_crypto_policy:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_configure_gnutls_tls_crypto_policy:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/crypto-policies/back-ends/gnutls.config | \+VERS-ALL:-VERS-DTLS0\.9:-VERS-SSL3\.0:-VERS-TLS1\.0:-VERS-TLS1\.1:-VERS-DTLS1\.0 | 1 |
Configure Kerberos to use System Crypto Policy
| Rule ID | xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-configure_kerberos_crypto_policy:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | high |
| Identifiers and References | References: 0418, 1055, 1402, CIP-003-8 R4.2, CIP-007-3 R5.1, SC-13, SC-12(2), SC-12(3), SRG-OS-000120-GPOS-00061, OL08-00-010020, SV-248524r877398_rule |
| Description | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
Kerberos is supported by crypto policy, but it's configuration may be
set up to ignore it.
To check that Crypto Policies settings for Kerberos are configured correctly, examine that there is a symlink at
/etc/krb5.conf.d/crypto-policies targeting /etc/cypto-policies/back-ends/krb5.config.
If the symlink exists, Kerberos is configured to use the system-wide crypto policy settings. |
| Rationale | Overriding the system crypto policy makes the behavior of Kerberos violate expectations,
and makes system configuration more fragmented. |
Check if kerberos configuration symlink and crypto policy kerberos backend symlink point to same file oval:ssg-test_configure_kerberos_crypto_policy_symlink:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-var_symlink_kerberos_crypto_policy_configuration:var:1 | /usr/share/crypto-policies/DEFAULT/krb5.txt |
Check if kerberos configuration symlink links to the crypto-policy backend file oval:ssg-test_configure_kerberos_crypto_policy_nosymlink:tst:1 false
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-var_symlink_kerberos_crypto_policy_configuration:var:1 | /usr/share/crypto-policies/DEFAULT/krb5.txt |
Configure Libreswan to use System Crypto Policy
| Rule ID | xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-configure_libreswan_crypto_policy:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | high |
| Identifiers and References | References: CIP-003-8 R4.2, CIP-007-3 R5.1, CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_IPSEC_EXT.1.4, FCS_IPSEC_EXT.1.6, Req-2.2, 2.2, SRG-OS-000033-GPOS-00014, OL08-00-010020, SV-248524r877398_rule |
| Description | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
Libreswan is supported by system crypto policy, but the Libreswan configuration may be
set up to ignore it.
To check that Crypto Policies settings are configured correctly, ensure that the /etc/ipsec.conf
includes the appropriate configuration file.
In /etc/ipsec.conf, make sure that the following line
is not commented out or superseded by later includes:
include /etc/crypto-policies/back-ends/libreswan.config |
| Rationale | Overriding the system crypto policy makes the behavior of the Libreswan
service violate expectations, and makes system configuration more
fragmented. |
package libreswan is installed oval:ssg-test_package_libreswan_installed:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_libreswan_installed:obj:1 of type rpminfo_object
| Name |
|---|
| libreswan |
Check that the libreswan configuration includes the crypto policy config file oval:ssg-test_configure_libreswan_crypto_policy:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_configure_libreswan_crypto_policy:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/ipsec.conf | ^\s*include\s+/etc/crypto-policies/back-ends/libreswan.config\s*(?:#.*)?$ | 1 |
Configure OpenSSL library to use System Crypto Policy
| Rule ID | xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-configure_openssl_crypto_policy:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-001453, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), Req-2.2, 2.2, SRG-OS-000250-GPOS-00093, OL08-00-010293, SV-248564r877394_rule |
| Description | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
OpenSSL is supported by crypto policy, but the OpenSSL configuration may be
set up to ignore it.
To check that Crypto Policies settings are configured correctly, you have to examine the OpenSSL config file
available under /etc/pki/tls/openssl.cnf.
This file has the ini format, and it enables crypto policy support
if there is a [ crypto_policy ] section that contains the .include /etc/crypto-policies/back-ends/opensslcnf.config directive. |
| Rationale | Overriding the system crypto policy makes the behavior of the Java runtime violates expectations,
and makes system configuration more fragmented. |
Check that the configuration mandates usage of system-wide crypto policies. oval:ssg-test_configure_openssl_crypto_policy:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/pki/tls/openssl.cnf | [ crypto_policy ] .include /etc/crypto-policies/back-ends/opensslcnf.config |
Configure OpenSSL library to use TLS Encryption
| Rule ID | xccdf_org.ssgproject.content_rule_configure_openssl_tls_crypto_policy |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-configure_openssl_tls_crypto_policy:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-001453, AC-17(2), SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, OL08-00-010294, SV-248565r877394_rule |
| Description | Crypto Policies are means of enforcing certain cryptographic settings for
selected applications including OpenSSL. OpenSSL is by default configured to
modify its configuration based on currently configured Crypto Policy.
Editing the Crypto Policy back-end is not recommended.
Check the crypto-policies(7) man page and choose a policy that configures TLS
protocol to version 1.2 or higher, for example DEFAULT, FUTURE or FIPS policy.
Or create and apply a custom policy that restricts minimum TLS version to 1.2.
For example for versions prior to crypto-policies-20210617-1.gitc776d3e.el8.noarch
this is expected:
$ sudo grep -i MinProtocol /etc/crypto-policies/back-ends/opensslcnf.config MinProtocol = TLSv1.2Or for version crypto-policies-20210617-1.gitc776d3e.el8.noarch and newer this is expected: $ sudo grep -i MinProtocol /etc/crypto-policies/back-ends/opensslcnf.config TLS.MinProtocol = TLSv1.2 DTLS.MinProtocol = DTLSv1.2 |
| Rationale | Without cryptographic integrity protections, information can be altered by
unauthorized users without detection. |
| Warnings | warning
This rule doesn't come with a remediation, automatically changing the crypto-policies may be too disruptive.
Ensure the variable xccdf_org.ssgproject.content_value_var_system_crypto_policy is set to a
Crypto Policy that satisfies OpenSSL minimum TLS protocol version 1.2. Custom policies may be applied too. |
Check that the SSH configuration mandates usage of system-wide crypto policies. oval:ssg-test_configure_openssl_tls_crypto_policy:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/crypto-policies/back-ends/opensslcnf.config | TLS.MinProtocol = TLSv1.2 |
Installed version of crypto-policies is older than 20210617-1 oval:ssg-test_installed_version_of_crypto_policies:tst:1 false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| crypto-policies | noarch | (none) | 1.git3177e06.el8 | 20230731 | 0:20230731-1.git3177e06.el8 | 82562ea9ad986da3 | crypto-policies-0:20230731-1.git3177e06.el8.noarch |
Check that the SSH configuration mandates usage of system-wide crypto policies. oval:ssg-test_configure_openssl_dtls_crypto_policy:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/crypto-policies/back-ends/opensslcnf.config | DTLS.MinProtocol = DTLSv1.2 |
Configure SSH to use System Crypto Policy
| Rule ID | xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-configure_ssh_crypto_policy:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, Req-2.2, 2.2, SRG-OS-000250-GPOS-00093, OL08-00-010287, SV-248560r877394_rule |
| Description | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
SSH is supported by crypto policy, but the SSH configuration may be
set up to ignore it.
To check that Crypto Policies settings are configured correctly, ensure that
the CRYPTO_POLICY variable is either commented or not set at all
in the /etc/sysconfig/sshd. |
| Rationale | Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
and makes system configuration more fragmented. |
Check that the SSH configuration mandates usage of system-wide crypto policies. oval:ssg-test_configure_ssh_crypto_policy:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_configure_ssh_crypto_policy:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/sysconfig/sshd | ^\s*(?i)CRYPTO_POLICY\s*=.*$ | 1 |
Configure SSH Client to Use FIPS 140-2 Validated Ciphers: openssh.config
| Rule ID | xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-harden_sshd_ciphers_openssh_conf_crypto_policy:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | high |
| Identifiers and References | References: CCI-000068, CCI-000877, CCI-001453, CCI-002418, CCI-002890, CCI-003123, AC-17(2), SRG-OS-000033-GPOS-00014, SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, SRG-OS-000423-GPOS-00187, OL08-00-010020, SV-248524r877398_rule |
| Description | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be
set up incorrectly.
To check that Crypto Policies settings for ciphers are configured correctly, ensure that
/etc/crypto-policies/back-ends/openssh.config contains the following
line and is not commented out:
Ciphers aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com |
| Rationale | Overriding the system crypto policy makes the behavior of the OpenSSH client
violate expectations, and makes system configuration more fragmented. By
specifying a cipher list with the order of ciphers being in a “strongest to
weakest” orientation, the system will automatically attempt to use the
strongest cipher for securing SSH connections. |
| Warnings | warning
The system needs to be rebooted for these changes to take effect. warning
System Crypto Modules must be provided by a vendor that undergoes
FIPS-140 certifications.
FIPS-140 is applicable to all Federal agencies that use
cryptographic-based security systems to protect sensitive information
in computer and telecommunication systems (including voice systems) as
defined in Section 5131 of the Information Technology Management Reform
Act of 1996, Public Law 104-106. This standard shall be used in
designing and implementing cryptographic modules that Federal
departments and agencies operate or are operated for them under
contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf
To meet this, the system has to have cryptographic software provided by
a vendor that has undergone this certification. This means providing
documentation, test results, design information, and independent third
party review by an accredited lab. While open source software is
capable of meeting this, it does not meet FIPS-140 unless the vendor
submits to this process. |
test the value of Ciphers setting in the /etc/crypto-policies/back-ends/openssh.config file oval:ssg-test_harden_sshd_ciphers_openssh_conf_crypto_policy:tst:1 false
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/crypto-policies/back-ends/openssh.config | Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc |
Configure SSH Server to Use FIPS 140-2 Validated Ciphers: opensshserver.config
| Rule ID | xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_opensshserver_conf_crypto_policy |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-harden_sshd_ciphers_opensshserver_conf_crypto_policy:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000877, CCI-001453, AC-17(2), SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, OL08-00-010291, SV-248562r917905_rule |
| Description | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be
set up incorrectly.
To check that Crypto Policies settings for ciphers are configured correctly, ensure that
/etc/crypto-policies/back-ends/opensshserver.config contains the following
text and is not commented out:
-oCiphers=aes256-ctr,aes192-ctr,aes128-ctr,aes256-gcm@openssh.com,aes128-gcm@openssh.com |
| Rationale | Overriding the system crypto policy makes the behavior of the OpenSSH server
violate expectations, and makes system configuration more fragmented. By
specifying a cipher list with the order of ciphers being in a “strongest to
weakest” orientation, the system will automatically attempt to use the
strongest cipher for securing SSH connections. |
| Warnings | warning
The system needs to be rebooted for these changes to take effect. warning
System Crypto Modules must be provided by a vendor that undergoes
FIPS-140 certifications.
FIPS-140 is applicable to all Federal agencies that use
cryptographic-based security systems to protect sensitive information
in computer and telecommunication systems (including voice systems) as
defined in Section 5131 of the Information Technology Management Reform
Act of 1996, Public Law 104-106. This standard shall be used in
designing and implementing cryptographic modules that Federal
departments and agencies operate or are operated for them under
contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf
To meet this, the system has to have cryptographic software provided by
a vendor that has undergone this certification. This means providing
documentation, test results, design information, and independent third
party review by an accredited lab. While open source software is
capable of meeting this, it does not meet FIPS-140 unless the vendor
submits to this process. |
test the value of Ciphers setting in the /etc/crypto-policies/back-ends/opensshserver.config file oval:ssg-test_harden_sshd_ciphers_opensshserver_conf_crypto_policy:tst:1 false
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/crypto-policies/back-ends/opensshserver.config | CRYPTO_POLICY='-oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa' |
Configure SSH Client to Use FIPS 140-2 Validated MACs: openssh.config
| Rule ID | xccdf_org.ssgproject.content_rule_harden_sshd_macs_openssh_conf_crypto_policy |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-harden_sshd_macs_openssh_conf_crypto_policy:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000877, CCI-001453, AC-17(2), SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, OL08-00-010290, SV-248561r917902_rule |
| Description | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be
set up incorrectly.
To check that Crypto Policies settings are configured correctly, ensure that
/etc/crypto-policies/back-ends/openssh.config contains the following
line and is not commented out:
MACs hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com |
| Rationale | Overriding the system crypto policy makes the behavior of the OpenSSH
client violate expectations, and makes system configuration more
fragmented. |
| Warnings | warning
The system needs to be rebooted for these changes to take effect. warning
System Crypto Modules must be provided by a vendor that undergoes
FIPS-140 certifications.
FIPS-140 is applicable to all Federal agencies that use
cryptographic-based security systems to protect sensitive information
in computer and telecommunication systems (including voice systems) as
defined in Section 5131 of the Information Technology Management Reform
Act of 1996, Public Law 104-106. This standard shall be used in
designing and implementing cryptographic modules that Federal
departments and agencies operate or are operated for them under
contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf
To meet this, the system has to have cryptographic software provided by
a vendor that has undergone this certification. This means providing
documentation, test results, design information, and independent third
party review by an accredited lab. While open source software is
capable of meeting this, it does not meet FIPS-140 unless the vendor
submits to this process. |
test the value of MACs setting in the /etc/crypto-policies/back-ends/openssh.config file oval:ssg-test_harden_sshd_macs_openssh_conf_crypto_policy:tst:1 false
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/crypto-policies/back-ends/openssh.config | MACs hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 |
Configure SSH Server to Use FIPS 140-2 Validated MACs: opensshserver.config
| Rule ID | xccdf_org.ssgproject.content_rule_harden_sshd_macs_opensshserver_conf_crypto_policy |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-harden_sshd_macs_opensshserver_conf_crypto_policy:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000877, CCI-001453, AC-17(2), SRG-OS-000125-GPOS-00065, SRG-OS-000250-GPOS-00093, OL08-00-010290, SV-248561r917902_rule |
| Description | Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
OpenSSH is supported by system crypto policy, but the OpenSSH configuration may be
set up incorrectly.
To check that Crypto Policies settings are configured correctly, ensure that
/etc/crypto-policies/back-ends/opensshserver.config contains the following
text and is not commented out:
-oMACS=hmac-sha2-512,hmac-sha2-256,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com |
| Rationale | Overriding the system crypto policy makes the behavior of the OpenSSH
server violate expectations, and makes system configuration more
fragmented. |
| Warnings | warning
The system needs to be rebooted for these changes to take effect. warning
System Crypto Modules must be provided by a vendor that undergoes
FIPS-140 certifications.
FIPS-140 is applicable to all Federal agencies that use
cryptographic-based security systems to protect sensitive information
in computer and telecommunication systems (including voice systems) as
defined in Section 5131 of the Information Technology Management Reform
Act of 1996, Public Law 104-106. This standard shall be used in
designing and implementing cryptographic modules that Federal
departments and agencies operate or are operated for them under
contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf
To meet this, the system has to have cryptographic software provided by
a vendor that has undergone this certification. This means providing
documentation, test results, design information, and independent third
party review by an accredited lab. While open source software is
capable of meeting this, it does not meet FIPS-140 unless the vendor
submits to this process. |
test the value of MACs setting in the /etc/crypto-policies/back-ends/opensshserver.config file oval:ssg-test_harden_sshd_macs_opensshserver_conf_crypto_policy:tst:1 false
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/crypto-policies/back-ends/opensshserver.config | CRYPTO_POLICY='-oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa' |
The Installed Operating System Is Vendor Supported
| Rule ID | xccdf_org.ssgproject.content_rule_installed_OS_is_vendor_supported |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-installed_OS_is_vendor_supported:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | high |
| Identifiers and References | References: 18, 20, 4, APO12.01, APO12.02, APO12.03, APO12.04, BAI03.10, DSS05.01, DSS05.02, CCI-000366, 4.2.3, 4.2.3.12, 4.2.3.7, 4.2.3.9, A.12.6.1, A.14.2.3, A.16.1.3, A.18.2.2, A.18.2.3, CM-6(a), MA-6, SA-13(a), ID.RA-1, PR.IP-12, SRG-OS-000480-GPOS-00227, OL08-00-010000, SV-248521r779129_rule |
| Description | The installed operating system must be maintained by a vendor.
Oracle Linux is supported by Oracle Corporation. As the Oracle
Linux vendor, Oracle Corporation is responsible for providing security patches. |
| Rationale | An operating system is considered "supported" if the vendor continues to
provide security patches for the product. With an unsupported release, it
will not be possible to resolve any security issue discovered in the system
software. |
| Warnings | warning
There is no remediation besides switching to a different operating system. |
installed OS part of unix family oval:ssg-test_rhel7_unix_family:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_unix_family:obj:1 of type family_object
installed OS part of unix family oval:ssg-test_rhel7_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
redhat-release-client is version 7 oval:ssg-test_rhel7_client:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-client |
redhat-release-client is version 7 oval:ssg-test_rhel7_client:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-client |
redhat-release-workstation is version 7 oval:ssg-test_rhel7_workstation:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-workstation |
redhat-release-workstation is version 7 oval:ssg-test_rhel7_workstation:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-workstation |
redhat-release-server is version 7 oval:ssg-test_rhel7_server:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-server |
redhat-release-server is version 7 oval:ssg-test_rhel7_server:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-server |
redhat-release-computenode is version 7 oval:ssg-test_rhel7_computenode:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-computenode |
redhat-release-computenode is version 7 oval:ssg-test_rhel7_computenode:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-computenode |
redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
RHEVH base RHEL is version 7 oval:ssg-test_rhevh_rhel7_version:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
RHEVH base RHEL is version 7 oval:ssg-test_rhevh_rhel7_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
installed OS part of unix family oval:ssg-test_rhel7_unix_family:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_unix_family:obj:1 of type family_object
installed OS part of unix family oval:ssg-test_rhel7_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
redhat-release-client is version 7 oval:ssg-test_rhel7_client:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-client |
redhat-release-client is version 7 oval:ssg-test_rhel7_client:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_client:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-client |
redhat-release-workstation is version 7 oval:ssg-test_rhel7_workstation:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-workstation |
redhat-release-workstation is version 7 oval:ssg-test_rhel7_workstation:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_workstation:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-workstation |
redhat-release-server is version 7 oval:ssg-test_rhel7_server:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-server |
redhat-release-server is version 7 oval:ssg-test_rhel7_server:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_server:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-server |
redhat-release-computenode is version 7 oval:ssg-test_rhel7_computenode:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-computenode |
redhat-release-computenode is version 7 oval:ssg-test_rhel7_computenode:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel7_computenode:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-computenode |
redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
RHEVH base RHEL is version 7 oval:ssg-test_rhevh_rhel7_version:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
RHEVH base RHEL is version 7 oval:ssg-test_rhevh_rhel7_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel7_version:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
installed OS part of unix family oval:ssg-test_rhel8_unix_family:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel8_unix_family:obj:1 of type family_object
installed OS part of unix family oval:ssg-test_rhel8_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
redhat-release is version 8 oval:ssg-test_rhel8:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel8:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release |
redhat-release is version 8 oval:ssg-test_rhel8:tst:1 true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| redhat-release | x86_64 | 2 | 0.1.0.1.el8 | 8.9 | 2:8.9-0.1.0.1.el8 | 82562ea9ad986da3 | redhat-release-2:8.9-0.1.0.1.el8.x86_64 |
redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
RHEVH base RHEL is version 8 oval:ssg-test_rhevh_rhel8_version:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
RHEVH base RHEL is version 8 oval:ssg-test_rhevh_rhel8_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
installed OS part of unix family oval:ssg-test_rhel8_unix_family:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel8_unix_family:obj:1 of type family_object
installed OS part of unix family oval:ssg-test_rhel8_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
redhat-release is version 8 oval:ssg-test_rhel8:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel8:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release |
redhat-release is version 8 oval:ssg-test_rhel8:tst:1 true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| redhat-release | x86_64 | 2 | 0.1.0.1.el8 | 8.9 | 2:8.9-0.1.0.1.el8 | 82562ea9ad986da3 | redhat-release-2:8.9-0.1.0.1.el8.x86_64 |
redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
RHEVH base RHEL is version 8 oval:ssg-test_rhevh_rhel8_version:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
RHEVH base RHEL is version 8 oval:ssg-test_rhevh_rhel8_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel8_version:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
installed OS part of unix family oval:ssg-test_rhel9_unix_family:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel9_unix_family:obj:1 of type family_object
installed OS part of unix family oval:ssg-test_rhel9_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
redhat-release is version 9 oval:ssg-test_rhel9:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel9:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release |
redhat-release is version 9 oval:ssg-test_rhel9:tst:1 false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| redhat-release | x86_64 | 2 | 0.1.0.1.el8 | 8.9 | 2:8.9-0.1.0.1.el8 | 82562ea9ad986da3 | redhat-release-2:8.9-0.1.0.1.el8.x86_64 |
redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
RHEVH base RHEL is version 9 oval:ssg-test_rhevh_rhel9_version:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel9_version:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
RHEVH base RHEL is version 9 oval:ssg-test_rhevh_rhel9_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel9_version:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
installed OS part of unix family oval:ssg-test_rhel9_unix_family:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel9_unix_family:obj:1 of type family_object
installed OS part of unix family oval:ssg-test_rhel9_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
redhat-release is version 9 oval:ssg-test_rhel9:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhel9:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release |
redhat-release is version 9 oval:ssg-test_rhel9:tst:1 false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| redhat-release | x86_64 | 2 | 0.1.0.1.el8 | 8.9 | 2:8.9-0.1.0.1.el8 | 82562ea9ad986da3 | redhat-release-2:8.9-0.1.0.1.el8.x86_64 |
redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
redhat-release-virtualization-host RPM package is installed oval:ssg-test_rhvh4_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhvh4_version:obj:1 of type rpminfo_object
| Name |
|---|
| redhat-release-virtualization-host |
RHEVH base RHEL is version 9 oval:ssg-test_rhevh_rhel9_version:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel9_version:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
RHEVH base RHEL is version 9 oval:ssg-test_rhevh_rhel9_version:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_rhevh_rhel9_version:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/redhat-release | ^Red Hat Enterprise Linux release (\d)\.\d+$ | 1 |
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
oraclelinux-release is version 7 oval:ssg-test_ol7_system:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type rpminfo_object
| Name |
|---|
| oraclelinux-release |
oraclelinux-release is version 7 oval:ssg-test_ol7_system:tst:1 false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| oraclelinux-release | x86_64 | 8 | 1.0.8.el8 | 8.9 | 8:8.9-1.0.8.el8 | 82562ea9ad986da3 | oraclelinux-release-8:8.9-1.0.8.el8.x86_64 |
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
oraclelinux-release is version 7 oval:ssg-test_ol7_system:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_ol7_system:obj:1 of type rpminfo_object
| Name |
|---|
| oraclelinux-release |
oraclelinux-release is version 7 oval:ssg-test_ol7_system:tst:1 false
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| oraclelinux-release | x86_64 | 8 | 1.0.8.el8 | 8.9 | 8:8.9-1.0.8.el8 | 82562ea9ad986da3 | oraclelinux-release-8:8.9-1.0.8.el8.x86_64 |
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
oraclelinux-release is version 8 oval:ssg-test_ol8_system:tst:1 true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| oraclelinux-release | x86_64 | 8 | 1.0.8.el8 | 8.9 | 8:8.9-1.0.8.el8 | 82562ea9ad986da3 | oraclelinux-release-8:8.9-1.0.8.el8.x86_64 |
oraclelinux-release is version 8 oval:ssg-test_ol8_system:tst:1 true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| oraclelinux-release | x86_64 | 8 | 1.0.8.el8 | 8.9 | 8:8.9-1.0.8.el8 | 82562ea9ad986da3 | oraclelinux-release-8:8.9-1.0.8.el8.x86_64 |
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
oraclelinux-release is version 8 oval:ssg-test_ol8_system:tst:1 true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| oraclelinux-release | x86_64 | 8 | 1.0.8.el8 | 8.9 | 8:8.9-1.0.8.el8 | 82562ea9ad986da3 | oraclelinux-release-8:8.9-1.0.8.el8.x86_64 |
oraclelinux-release is version 8 oval:ssg-test_ol8_system:tst:1 true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| oraclelinux-release | x86_64 | 8 | 1.0.8.el8 | 8.9 | 8:8.9-1.0.8.el8 | 82562ea9ad986da3 | oraclelinux-release-8:8.9-1.0.8.el8.x86_64 |
installed OS part of unix family oval:ssg-test_sle12_unix_family:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_unix_family:obj:1 of type family_object
installed OS part of unix family oval:ssg-test_sle12_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
sled-release is version 6 oval:ssg-test_sle12_desktop:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_desktop:obj:1 of type rpminfo_object
| Name |
|---|
| sled-release |
sled-release is version 6 oval:ssg-test_sle12_desktop:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_desktop:obj:1 of type rpminfo_object
| Name |
|---|
| sled-release |
sles-release is version 6 oval:ssg-test_sle12_server:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_server:obj:1 of type rpminfo_object
| Name |
|---|
| sles-release |
sles-release is version 6 oval:ssg-test_sle12_server:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_server:obj:1 of type rpminfo_object
| Name |
|---|
| sles-release |
SLES_SAP-release is version 12 oval:ssg-test_sles_12_for_sap:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_12_for_sap:obj:1 of type rpminfo_object
| Name |
|---|
| SLES_SAP-release |
SLES_SAP-release is version 12 oval:ssg-test_sles_12_for_sap:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_12_for_sap:obj:1 of type rpminfo_object
| Name |
|---|
| SLES_SAP-release |
installed OS part of unix family oval:ssg-test_sle12_unix_family:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_unix_family:obj:1 of type family_object
installed OS part of unix family oval:ssg-test_sle12_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
sled-release is version 6 oval:ssg-test_sle12_desktop:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_desktop:obj:1 of type rpminfo_object
| Name |
|---|
| sled-release |
sled-release is version 6 oval:ssg-test_sle12_desktop:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_desktop:obj:1 of type rpminfo_object
| Name |
|---|
| sled-release |
sles-release is version 6 oval:ssg-test_sle12_server:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_server:obj:1 of type rpminfo_object
| Name |
|---|
| sles-release |
sles-release is version 6 oval:ssg-test_sle12_server:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle12_server:obj:1 of type rpminfo_object
| Name |
|---|
| sles-release |
SLES_SAP-release is version 12 oval:ssg-test_sles_12_for_sap:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_12_for_sap:obj:1 of type rpminfo_object
| Name |
|---|
| SLES_SAP-release |
SLES_SAP-release is version 12 oval:ssg-test_sles_12_for_sap:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_12_for_sap:obj:1 of type rpminfo_object
| Name |
|---|
| SLES_SAP-release |
installed OS part of unix family oval:ssg-test_sle15_unix_family:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_unix_family:obj:1 of type family_object
installed OS part of unix family oval:ssg-test_sle15_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
sled-release is version 15 oval:ssg-test_sle15_desktop:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_desktop:obj:1 of type rpminfo_object
| Name |
|---|
| sled-release |
sled-release is version 15 oval:ssg-test_sle15_desktop:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_desktop:obj:1 of type rpminfo_object
| Name |
|---|
| sled-release |
sles-release is version 15 oval:ssg-test_sle15_server:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_server:obj:1 of type rpminfo_object
| Name |
|---|
| sles-release |
sles-release is version 15 oval:ssg-test_sle15_server:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_server:obj:1 of type rpminfo_object
| Name |
|---|
| sles-release |
SLES_SAP-release is version 15 oval:ssg-test_sles_15_for_sap:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_15_for_sap:obj:1 of type rpminfo_object
| Name |
|---|
| SLES_SAP-release |
SLES_SAP-release is version 15 oval:ssg-test_sles_15_for_sap:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_15_for_sap:obj:1 of type rpminfo_object
| Name |
|---|
| SLES_SAP-release |
SUMA is version 4 oval:ssg-test_suma_4:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_suma_4:obj:1 of type rpminfo_object
| Name |
|---|
| SUSE-Manager-Server-release |
SUMA is version 4 oval:ssg-test_suma_4:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_suma_4:obj:1 of type rpminfo_object
| Name |
|---|
| SUSE-Manager-Server-release |
SLE HPC release is version 15 oval:ssg-test_sle_hpc:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle_hpc:obj:1 of type rpminfo_object
| Name |
|---|
| SLE_HPC-release |
SLE HPC release is version 15 oval:ssg-test_sle_hpc:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle_hpc:obj:1 of type rpminfo_object
| Name |
|---|
| SLE_HPC-release |
installed OS part of unix family oval:ssg-test_sle15_unix_family:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_unix_family:obj:1 of type family_object
installed OS part of unix family oval:ssg-test_sle15_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
sled-release is version 15 oval:ssg-test_sle15_desktop:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_desktop:obj:1 of type rpminfo_object
| Name |
|---|
| sled-release |
sled-release is version 15 oval:ssg-test_sle15_desktop:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_desktop:obj:1 of type rpminfo_object
| Name |
|---|
| sled-release |
sles-release is version 15 oval:ssg-test_sle15_server:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_server:obj:1 of type rpminfo_object
| Name |
|---|
| sles-release |
sles-release is version 15 oval:ssg-test_sle15_server:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle15_server:obj:1 of type rpminfo_object
| Name |
|---|
| sles-release |
SLES_SAP-release is version 15 oval:ssg-test_sles_15_for_sap:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_15_for_sap:obj:1 of type rpminfo_object
| Name |
|---|
| SLES_SAP-release |
SLES_SAP-release is version 15 oval:ssg-test_sles_15_for_sap:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sles_15_for_sap:obj:1 of type rpminfo_object
| Name |
|---|
| SLES_SAP-release |
SUMA is version 4 oval:ssg-test_suma_4:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_suma_4:obj:1 of type rpminfo_object
| Name |
|---|
| SUSE-Manager-Server-release |
SUMA is version 4 oval:ssg-test_suma_4:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_suma_4:obj:1 of type rpminfo_object
| Name |
|---|
| SUSE-Manager-Server-release |
SLE HPC release is version 15 oval:ssg-test_sle_hpc:tst:1 not evaluated
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle_hpc:obj:1 of type rpminfo_object
| Name |
|---|
| SLE_HPC-release |
SLE HPC release is version 15 oval:ssg-test_sle_hpc:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_sle_hpc:obj:1 of type rpminfo_object
| Name |
|---|
| SLE_HPC-release |
Install McAfee Endpoint Security for Linux (ENSL)
| Rule ID | xccdf_org.ssgproject.content_rule_package_mcafeetp_installed |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-001263, CCI-000366, SI-2(2), SRG-OS-000191-GPOS-00080, OL08-00-010001, SV-248522r779132_rule |
| Description | Install McAfee Endpoint Security for Linux antivirus software
which is provided for DoD systems and uses signatures to search for the
presence of viruses on the filesystem.
The McAfeeTP package can be installed with the following command:
$ sudo yum install McAfeeTP |
| Rationale | Virus scanning software can be used to detect if a system has been compromised by
computer viruses, as well as to limit their spread to other systems. |
| Warnings | warning
Due to McAfee Endpoint Security for Linux (ENSL) being 3rd party software,
automated remediation is not available for this configuration check. |
Ensure McAfee Endpoint Security for Linux (ENSL) is running
| Rule ID | xccdf_org.ssgproject.content_rule_agent_mfetpd_running |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-001263, CCI-000366, SI-2(2), SRG-OS-000191-GPOS-00080, OL08-00-010001, SV-248522r779132_rule |
| Description | Install McAfee Endpoint Security for Linux antivirus software
which is provided for DoD systems and uses signatures to search for the
presence of viruses on the filesystem. |
| Rationale | Virus scanning software can be used to detect if a system has been compromised by
computer viruses, as well as to limit their spread to other systems. |
| Warnings | warning
Due to McAfee Endpoint Security for Linux (ENSL) being 3rd party software,
automated remediation is not available for this configuration check. |
Encrypt Partitions
| Rule ID | xccdf_org.ssgproject.content_rule_encrypt_partitions |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: 13, 14, APO01.06, BAI02.01, BAI06.01, DSS04.07, DSS05.03, DSS05.04, DSS05.07, DSS06.02, DSS06.06, 3.13.16, CCI-001199, CCI-002475, CCI-002476, 164.308(a)(1)(ii)(D), 164.308(b)(1), 164.310(d), 164.312(a)(1), 164.312(a)(2)(iii), 164.312(a)(2)(iv), 164.312(b), 164.312(c), 164.314(b)(2)(i), 164.312(d), SR 3.4, SR 4.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R4.2, CIP-007-3 R5.1, CM-6(a), SC-28, SC-28(1), SC-13, AU-9(3), PR.DS-1, PR.DS-5, SRG-OS-000405-GPOS-00184, SRG-OS-000185-GPOS-00079, SRG-OS-000404-GPOS-00183, OL08-00-010030, SV-248525r917893_rule |
| Description | Oracle Linux 8 natively supports partition encryption through the
Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to
encrypt a partition is during installation time.
For manual installations, select the Encrypt checkbox during
partition creation to encrypt the partition. When this
option is selected the system will prompt for a passphrase to use in
decrypting the partition. The passphrase will subsequently need to be entered manually
every time the system boots.
For automated/unattended installations, it is possible to use Kickstart by adding the --encrypted and --passphrase= options to the definition of each partition to be
encrypted. For example, the following line would encrypt the root partition:
part / --fstype=ext4 --size=100 --onpart=hda1 --encrypted --passphrase=PASSPHRASEAny PASSPHRASE is stored in the Kickstart in plaintext, and the Kickstart must then be protected accordingly. Omitting the --passphrase= option from the partition definition will cause the
installer to pause and interactively ask for the passphrase during installation.
By default, the Anaconda installer uses aes-xts-plain64 cipher
with a minimum 512 bit key size which should be compatible with FIPS enabled.
Detailed information on encrypting partitions using LUKS or LUKS ciphers can be found on the Oracle Linux 8 Documentation web site: https://docs.oracle.com/en/operating-systems/oracle-linux/8/install/install-InstallingOracleLinuxManually.html#system-options . |
| Rationale | The risk of a system's physical compromise, particularly mobile systems such as
laptops, places its data at risk of compromise. Encrypting this data mitigates
the risk of its loss if the system is lost. |
Ensure /home Located On Separate Partition
| Rule ID | xccdf_org.ssgproject.content_rule_partition_for_home |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, CCI-001208, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, OL08-00-010800, SV-248648r902800_rule |
| Description | If user home directories will be stored locally, create a separate partition
for /home at installation time (or migrate it later using LVM). If
/home will be mounted from another system such as an NFS server, then
creating a separate partition is not necessary at installation time, and the
mountpoint can instead be configured later. |
| Rationale | Ensuring that /home is mounted on its own partition enables the
setting of more restrictive mount options, and also helps ensure that
users cannot trivially fill partitions used for log or audit data storage. |
Ensure /tmp Located On Separate Partition
| Rule ID | xccdf_org.ssgproject.content_rule_partition_for_tmp |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, OL08-00-010543, SV-248611r779399_rule |
| Description | The /tmp directory is a world-writable directory used
for temporary file storage. Ensure it has its own partition or
logical volume at installation time, or migrate it using LVM. |
| Rationale | The /tmp partition is used as temporary storage by many programs.
Placing /tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it. |
Ensure /var Located On Separate Partition
| Rule ID | xccdf_org.ssgproject.content_rule_partition_for_var |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | low |
| Identifiers and References | References: BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, OL08-00-010540, SV-248608r902793_rule |
| Description | The /var directory is used by daemons and other system
services to store frequently-changing data. Ensure that /var has its own partition
or logical volume at installation time, or migrate it using LVM. |
| Rationale | Ensuring that /var is mounted on its own partition enables the
setting of more restrictive mount options. This helps protect
system services such as daemons or other programs which use it.
It is not uncommon for the /var directory to contain
world-writable directories installed by other software packages. |
Ensure /var/log Located On Separate Partition
| Rule ID | xccdf_org.ssgproject.content_rule_partition_for_var_log |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | low |
| Identifiers and References | References: BP28(R12), BP28(R47), 1, 12, 14, 15, 16, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.PT-1, PR.PT-4, SRG-OS-000480-GPOS-00227, OL08-00-010541, SV-248609r902795_rule |
| Description | System logs are stored in the /var/log directory.
Ensure that /var/log has its own partition or logical
volume at installation time, or migrate it using LVM. |
| Rationale | Placing /var/log in its own partition
enables better separation between log files
and other files in /var/. |
Ensure /var/log/audit Located On Separate Partition
| Rule ID | xccdf_org.ssgproject.content_rule_partition_for_var_log_audit |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | low |
| Identifiers and References | References: BP28(R43), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, CCI-001849, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.2, SR 7.6, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.17.2.1, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.DS-4, PR.PT-1, PR.PT-4, FMT_SMF_EXT.1, SRG-OS-000341-GPOS-00132, SRG-OS-000480-GPOS-00227, OL08-00-010542, SV-248610r779396_rule |
| Description | Audit logs are stored in the /var/log/audit directory.
Ensure that /var/log/audit has its own partition or logical
volume at installation time, or migrate it using LVM.
Make absolutely certain that it is large enough to store all
audit logs that will be created by the auditing daemon. |
| Rationale | Placing /var/log/audit in its own partition
enables better separation between audit files
and other files, and helps ensure that
auditing cannot be halted due to the partition running out
of space. |
Ensure /var/tmp Located On Separate Partition
| Rule ID | xccdf_org.ssgproject.content_rule_partition_for_var_tmp |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R12), SRG-OS-000480-GPOS-00227, OL08-00-010544, SV-248612r902797_rule |
| Description | The /var/tmp directory is a world-writable directory used
for temporary file storage. Ensure it has its own partition or
logical volume at installation time, or migrate it using LVM. |
| Rationale | The /var/tmp partition is used as temporary storage by many programs.
Placing /var/tmp in its own partition enables the setting of more
restrictive mount options, which can help protect programs which use it. |
Disable the GNOME3 Login User List
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CM-6(a), AC-23, SRG-OS-000480-GPOS-00227, OL08-00-020032, SV-248673r779585_rule |
| Description | In the default graphical environment, users logging directly into the
system are greeted with a login screen that displays all known users.
This functionality should be disabled by setting disable-user-list
to true.
To disable, add or edit disable-user-list to
/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/login-screen] disable-user-list=trueOnce the setting has been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent
user modification. For example:
/org/gnome/login-screen/disable-user-listAfter the settings have been set, run dconf update. |
| Rationale | Leaving the user list enabled is a security risk since it allows anyone
with physical access to the system to quickly enumerate known user accounts
without logging in. |
Enable the GNOME3 Screen Locking On Smartcard Removal
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_lock_screen_on_smartcard_removal |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000056, CCI-000058, SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011, OL08-00-020050, SV-248679r818655_rule |
| Description | In the default graphical environment, screen locking on smartcard removal
can be enabled by setting removal-action
to 'lock-screen'.
To enable, add or edit removal-action to
/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/settings-daemon/peripherals/smartcard] removal-action='lock-screen'Once the setting has been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/settings-daemon/peripherals/smartcard/removal-actionAfter the settings have been set, run dconf update. |
| Rationale | Locking the screen automatically when removing the smartcard can
prevent undesired access to system. |
Disable GDM Automatic Login
| Rule ID | xccdf_org.ssgproject.content_rule_gnome_gdm_disable_automatic_login |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | high |
| Identifiers and References | References: 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.1, CCI-000366, 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(a), AC-6(1), CM-7(b), PR.IP-1, FIA_UAU.1, SRG-OS-000480-GPOS-00229, OL08-00-010820, SV-248649r877377_rule |
| Description | The GNOME Display Manager (GDM) can allow users to automatically login without
user interaction or credentials. User should always be required to authenticate themselves
to the system that they are authorized to use. To disable user ability to automatically
login to the system, set the AutomaticLoginEnable to false in the
[daemon] section in /etc/gdm/custom.conf. For example:
[daemon] AutomaticLoginEnable=false |
| Rationale | Failure to restrict system access to authenticated users negatively impacts operating
system security. |
Set GNOME3 Screensaver Inactivity Timeout
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: 1, 12, 15, 16, 5.5.5, DSS05.04, DSS05.10, DSS06.10, 3.1.10, CCI-000057, CCI-000060, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-11(a), CM-6(a), PR.AC-7, FMT_MOF_EXT.1, Req-8.1.8, 8.2.8, SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012, OL08-00-020060, SV-248680r779606_rule |
| Description | The idle time-out value for inactivity in the GNOME3 desktop is configured via the idle-delay
setting must be set under an appropriate configuration file(s) in the /etc/dconf/db/local.d directory
and locked in /etc/dconf/db/local.d/locks directory to prevent user modification.
For example, to configure the system for a 15 minute delay, add the following to /etc/dconf/db/local.d/00-security-settings:
[org/gnome/desktop/session] idle-delay=uint32 900 |
| Rationale | A session time-out lock is a temporary action taken when a user stops work and moves away from
the immediate physical vicinity of the information system but does not logout because of the
temporary nature of the absence. Rather than relying on the user to manually lock their operating
system session prior to vacating the vicinity, GNOME3 can be configured to identify when
a user's session has idled and take action to initiate a session lock. |
Set GNOME3 Screensaver Lock Delay After Activation Period
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.10, CCI-000056, CCI-000057, CCI-000060, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-11(a), CM-6(a), PR.AC-7, FMT_MOF_EXT.1, Req-8.1.8, SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012, OL08-00-020031, SV-248672r779582_rule |
| Description | To activate the locking delay of the screensaver in the GNOME3 desktop when
the screensaver is activated, add or set lock-delay to uint32 5 in
/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/desktop/screensaver] lock-delay=uint32 5After the settings have been set, run dconf update. |
| Rationale | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity
of the information system but does not want to logout because of the temporary nature of the absense. |
Enable GNOME3 Screensaver Lock After Idle Period
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: 1, 12, 15, 16, 5.5.5, DSS05.04, DSS05.10, DSS06.10, 3.1.10, CCI-000056, CCI-000058, CCI-000060, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), PR.AC-7, FMT_MOF_EXT.1, Req-8.1.8, 8.2.8, SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011, OL08-00-020030, SV-248671r779579_rule |
| Description |
To activate locking of the screensaver in the GNOME3 desktop when it is activated,
add or set lock-enabled to true in
/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/desktop/screensaver] lock-enabled=trueOnce the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/lock-enabledAfter the settings have been set, run dconf update. |
| Rationale | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity
of the information system but does not want to logout because of the temporary nature of the absense. |
Ensure Users Cannot Change GNOME3 Screensaver Settings
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.10, CCI-000057, CCI-000060, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012, OL08-00-020080, SV-248682r779612_rule |
| Description | If not already configured, ensure that users cannot change GNOME3 screensaver lock settings
by adding /org/gnome/desktop/screensaver/lock-delay
to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/screensaver/lock-delayAfter the settings have been set, run dconf update. |
| Rationale | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate
physical vicinity of the information system but does not logout because of the temporary nature of the absence.
Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity,
GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the
session lock. As such, users should not be allowed to change session settings. |
Ensure Users Cannot Change GNOME3 Session Idle Settings
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.10, CCI-000057, CCI-000060, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), PR.AC-7, FMT_MOF_EXT.1, Req-8.1.8, 8.2.8, SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012, OL08-00-020081, SV-248683r779615_rule |
| Description | If not already configured, ensure that users cannot change GNOME3 session idle settings
by adding /org/gnome/desktop/session/idle-delay
to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
For example:
/org/gnome/desktop/session/idle-delayAfter the settings have been set, run dconf update. |
| Rationale | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate
physical vicinity of the information system but does not logout because of the temporary nature of the absence.
Rather than relying on the user to manually lock their operating system session prior to vacating the vicinity,
GNOME desktops can be configured to identify when a user's session has idled and take action to initiate the
session lock. As such, users should not be allowed to change session settings. |
Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3
| Rule ID | xccdf_org.ssgproject.content_rule_dconf_gnome_disable_ctrlaltdel_reboot |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | high |
| Identifiers and References | References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.1.2, CCI-000366, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), CM-7(b), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, OL08-00-040171, SV-248870r780176_rule |
| Description | By default, GNOME will reboot the system if the
Ctrl-Alt-Del key sequence is pressed.
To configure the system to ignore the Ctrl-Alt-Del key sequence
from the Graphical User Interface (GUI) instead of rebooting the system,
add or set logout to '' in
/etc/dconf/db/local.d/00-security-settings. For example:
[org/gnome/settings-daemon/plugins/media-keys] logout=''Once the settings have been added, add a lock to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent
user modification. For example:
/org/gnome/settings-daemon/plugins/media-keys/logoutAfter the settings have been set, run dconf update. |
| Rationale | A locally logged-in user who presses Ctrl-Alt-Del, when at the console,
can reboot the system. If accidentally pressed, as could happen in
the case of mixed OS environment, this can create the risk of short-term
loss of availability of systems due to unintentional reboot. |
Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
| Rule ID | xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sudo_remove_no_authenticate:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, OL08-00-010381, SV-248582r880551_rule |
| Description | The sudo !authenticate option, when specified, allows a user to execute commands using
sudo without having to authenticate. This should be disabled by making sure that the
!authenticate option does not exist in /etc/sudoers configuration file or
any sudo configuration snippets in /etc/sudoers.d/. |
| Rationale | Without re-authentication, users may access resources or perform tasks for which they
do not have authorization.
When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate. |
!authenticate does not exist in /etc/sudoers oval:ssg-test_no_authenticate_etc_sudoers:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_no_authenticate_etc_sudoers:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/sudoers | ^(?!#).*[\s]+\!authenticate.*$ | 1 |
!authenticate does not exist in /etc/sudoers.d oval:ssg-test_no_authenticate_etc_sudoers_d:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_no_authenticate_etc_sudoers_d:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|---|---|---|
| /etc/sudoers.d | ^.*$ | ^(?!#).*[\s]+\!authenticate.*$ | 1 |
Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD
| Rule ID | xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sudo_remove_nopasswd:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R5), BP28(R59), 1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, OL08-00-010380, SV-248581r860915_rule |
| Description | The sudo NOPASSWD tag, when specified, allows a user to execute
commands using sudo without having to authenticate. This should be disabled
by making sure that the NOPASSWD tag does not exist in
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/. |
| Rationale | Without re-authentication, users may access resources or perform tasks for which they
do not have authorization.
When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate. |
NOPASSWD does not exist /etc/sudoers oval:ssg-test_nopasswd_etc_sudoers:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_nopasswd_etc_sudoers:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/sudoers | ^(?!#).*[\s]+NOPASSWD[\s]*\:.*$ | 1 |
NOPASSWD does not exist in /etc/sudoers.d oval:ssg-test_nopasswd_etc_sudoers_d:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_nopasswd_etc_sudoers_d:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|---|---|---|
| /etc/sudoers.d | ^.*$ | ^(?!#).*[\s]+NOPASSWD[\s]*\:.*$ | 1 |
Require Re-Authentication When Using the sudo Command
| Rule ID | xccdf_org.ssgproject.content_rule_sudo_require_reauthentication |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-002038, IA-11, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, OL08-00-010384, SV-248585r880557_rule |
| Description | The sudo timestamp_timeout tag sets the amount of time sudo password prompt waits.
The default timestamp_timeout value is 5 minutes.
The timestamp_timeout should be configured by making sure that the
timestamp_timeout tag exists in
/etc/sudoers configuration file or any sudo configuration snippets
in /etc/sudoers.d/.
If the value is set to an integer less than 0, the user's time stamp will not expire
and the user will not have to re-authenticate for privileged actions until the user's session is terminated. |
| Rationale | Without re-authentication, users may access resources or perform tasks for which they
do not have authorization.
When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate. |
Ensure sudo only includes the default configuration directory
| Rule ID | xccdf_org.ssgproject.content_rule_sudoers_default_includedir |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-sudoers_default_includedir:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000366, SRG-OS-000480-GPOS-00227, OL08-00-010379, SV-252655r880549_rule |
| Description | Administrators can configure authorized sudo users via drop-in files, and it is possible to include
other directories and configuration files from the file currently being parsed.
Make sure that /etc/sudoers only includes drop-in configuration files from /etc/sudoers.d,
or that no drop-in file is included.
Either the /etc/sudoers should contain only one #includedir directive pointing to
/etc/sudoers.d, and no file in /etc/sudoers.d/ should include other files or directories;
Or the /etc/sudoers should not contain any #include,
@include, #includedir or @includedir directives.
Note that the '#' character doesn't denote a comment in the configuration file. |
| Rationale | Some sudo configurtion options allow users to run programs without re-authenticating.
Use of these configuration options makes it easier for one compromised accound to be used to
compromise other accounts. |
test none sudoers #include or @include oval:ssg-test_sudoers_without_include:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_sudoers_without_include:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/sudoers | ^[#@]include[\s]+.*$ | 1 |
test none sudoers #includedir or @includdir oval:ssg-test_sudoers_without_includedir:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_sudoers_without_includedir:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/sudoers | ^[#@]includedir[\s]+.*$ | 1 |
test only one sudoers #includedir oval:ssg-test_sudoers_default_includedir:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_sudoers_default_includedir:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/sudoers | ^#includedir[\s]+(.*)$ | 1 |
test none sudoers #include or @include oval:ssg-test_sudoers_without_include:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_sudoers_without_include:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/sudoers | ^[#@]include[\s]+.*$ | 1 |
test none sudoers @includedir oval:ssg-test_sudoers_without_includedir_new:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_sudoers_without_include_new:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/sudoers | ^@includedir[\s]+.*$ | 1 |
test none sudoers.d #include, @include, #includedir or @includedir oval:ssg-test_sudoersd_without_includes:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_sudoersd_without_includes:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|---|---|---|
| /etc/sudoers.d/ | .* | ^[#@]include(?:dir)?[\s]+.*$ | 1 |
Ensure invoking users password for privilege escalation when using sudo
| Rule ID | xccdf_org.ssgproject.content_rule_sudoers_validate_passwd |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000366, CCI-002227, CM-6(b), CM-6.1(iv), SRG-OS-000480-GPOS-00227, OL08-00-010383, SV-248584r880554_rule |
| Description | The sudoers security policy requires that users authenticate themselves before they can use sudo.
When sudoers requires authentication, it validates the invoking user's credentials.
The expected output for:
sudo cvtsudoers -f sudoers /etc/sudoers | grep -E '^Defaults !?(rootpw|targetpw|runaspw)$' Defaults !targetpw
Defaults !rootpw
Defaults !runaspw
or if cvtsudoers not supported:
sudo find /etc/sudoers /etc/sudoers.d \( \! -name '*~' -a \! -name '*.*' \) -exec grep -E --with-filename '^[[:blank:]]*Defaults[[:blank:]](.*[[:blank:]])?!?\b(rootpw|targetpw|runaspw)' -- {} \;
/etc/sudoers:Defaults !targetpw
/etc/sudoers:Defaults !rootpw
/etc/sudoers:Defaults !runaspw |
| Rationale | If the rootpw, targetpw, or runaspw flags are defined and not disabled, by default the operating system will prompt
the invoking user for the "root" user password. |
Install rng-tools Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_rng-tools_installed |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | low |
| Identifiers and References | References: CCI-000366, SRG-OS-000480-GPOS-00227, OL08-00-010472, SV-248600r779366_rule |
| Description | The rng-tools package can be installed with the following command:
$ sudo yum install rng-tools |
| Rationale | rng-tools provides hardware random number generator tools,
such as those used in the formation of x509/PKI certificates. |
Uninstall abrt-libs Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_abrt-libs_removed |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_abrt-libs_removed:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000381, SRG-OS-000095-GPOS-00049, OL08-00-040001, SV-248824r780038_rule |
| Description | The abrt-libs package can be removed with the following command:
$ sudo yum erase abrt-libs |
| Rationale | abrt-libs provides libraries for the ABRT package. |
package abrt-libs is removed oval:ssg-test_package_abrt-libs_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_abrt-libs_removed:obj:1 of type rpminfo_object
| Name |
|---|
| abrt-libs |
Uninstall abrt-server-info-page Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_abrt-server-info-page_removed |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_abrt-server-info-page_removed:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000381, SRG-OS-000095-GPOS-00049, OL08-00-040001, SV-248824r780038_rule |
| Description | The abrt-server-info-page package can be removed with the following command:
$ sudo yum erase abrt-server-info-page |
| Rationale | abrt-server-info-page provides a web page with summary of ABRT services. |
package abrt-server-info-page is removed oval:ssg-test_package_abrt-server-info-page_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_abrt-server-info-page_removed:obj:1 of type rpminfo_object
| Name |
|---|
| abrt-server-info-page |
Uninstall gssproxy Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_gssproxy_removed |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_gssproxy_removed:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000381, CCI-000366, SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227, OL08-00-040370, SV-248904r780278_rule |
| Description | The gssproxy package can be removed with the following command:
$ sudo yum erase gssproxy |
| Rationale | gssproxy is a proxy for GSS API credential handling. |
package gssproxy is removed oval:ssg-test_package_gssproxy_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_gssproxy_removed:obj:1 of type rpminfo_object
| Name |
|---|
| gssproxy |
Uninstall iprutils Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_iprutils_removed |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_iprutils_removed:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000366, SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227, OL08-00-040380, SV-248905r780281_rule |
| Description | The iprutils package can be removed with the following command:
$ sudo yum erase iprutils |
| Rationale | iprutils provides a suite of utlilities to manage and configure SCSI devices
supported by the ipr SCSI storage device driver. |
package iprutils is removed oval:ssg-test_package_iprutils_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_iprutils_removed:obj:1 of type rpminfo_object
| Name |
|---|
| iprutils |
Uninstall krb5-workstation Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_krb5-workstation_removed |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000803, SRG-OS-000095-GPOS-00049, SRG-OS-000120-GPOS-00061, OL08-00-010162, SV-248546r779204_rule |
| Description | The krb5-workstation package can be removed with the following command:
$ sudo yum erase krb5-workstation |
| Rationale | Kerberos is a network authentication system. The krb5-workstation package contains the basic
Kerberos programs (kinit, klist, kdestroy, kpasswd). |
Uninstall libreport-plugin-logger Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_libreport-plugin-logger_removed |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_libreport-plugin-logger_removed:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | low |
| Identifiers and References | References: CCI-000381, SRG-OS-000095-GPOS-00049, OL08-00-040001, SV-248824r780038_rule |
| Description | The libreport-plugin-logger package can be removed with the following command:
$ sudo yum erase libreport-plugin-logger |
| Rationale | libreport-plugin-logger is a ABRT plugin to report bugs into the
Red Hat Support system. |
package libreport-plugin-logger is removed oval:ssg-test_package_libreport-plugin-logger_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_libreport-plugin-logger_removed:obj:1 of type rpminfo_object
| Name |
|---|
| libreport-plugin-logger |
Uninstall tuned Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_tuned_removed |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_tuned_removed:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000366, SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227, OL08-00-040390, SV-248906r780284_rule |
| Description | The tuned package can be removed with the following command:
$ sudo yum erase tuned |
| Rationale | tuned contains a daemon that tunes the system settings dynamically.
It does so by monitoring the usage of several system components periodically. Based
on that information, components will then be put into lower or higher power savings
modes to adapt to the current usage. |
package tuned is removed oval:ssg-test_package_tuned_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_tuned_removed:obj:1 of type rpminfo_object
| Name |
|---|
| tuned |
Ensure yum Removes Previous Package Versions
| Rule ID | xccdf_org.ssgproject.content_rule_clean_components_post_updating |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-clean_components_post_updating:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | low |
| Identifiers and References | References: 18, 20, 4, APO12.01, APO12.02, APO12.03, APO12.04, BAI03.10, DSS05.01, DSS05.02, 3.4.8, CCI-002617, 4.2.3, 4.2.3.12, 4.2.3.7, 4.2.3.9, A.12.6.1, A.14.2.3, A.16.1.3, A.18.2.2, A.18.2.3, SI-2(6), CM-11(a), CM-11(b), CM-6(a), ID.RA-1, PR.IP-12, SRG-OS-000437-GPOS-00194, OL08-00-010440, SV-248595r853773_rule |
| Description | yum should be configured to remove previous software components after
new versions have been installed. To configure yum to remove the
previous software components after updating, set the clean_requirements_on_remove
to 1 in /etc/yum.conf. |
| Rationale | Previous versions of software components that are not removed from the information
system after updates have been installed may be exploited by some adversaries. |
check value of clean_requirements_on_remove in /etc/yum.conf oval:ssg-test_yum_clean_components_post_updating:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/yum.conf | clean_requirements_on_remove=True |
Ensure gpgcheck Enabled In Main yum Configuration
| Rule ID | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-ensure_gpgcheck_globally_activated:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | high |
| Identifiers and References | References: BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, 6.3.3, SRG-OS-000366-GPOS-00153, OL08-00-010370, SV-248574r877463_rule |
| Description | The gpgcheck option controls whether
RPM packages' signatures are always checked prior to installation.
To configure yum to check package signatures before installing
them, ensure the following line appears in /etc/yum.conf in
the [main] section:
gpgcheck=1 |
| Rationale | Changes to any software components can have significant effects on the
overall security of the operating system. This requirement ensures the
software has not been tampered with and that it has been provided by a
trusted vendor.
Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA). |
check value of gpgcheck in /etc/yum.conf oval:ssg-test_ensure_gpgcheck_globally_activated:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/yum.conf | gpgcheck=1 |
Ensure gpgcheck Enabled for Local Packages
| Rule ID | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-ensure_gpgcheck_local_packages:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | high |
| Identifiers and References | References: BP28(R15), 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-11(a), CM-11(b), CM-6(a), CM-5(3), SA-12, SA-12(10), PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, SRG-OS-000366-GPOS-00153, OL08-00-010371, SV-248575r877463_rule |
| Description | yum should be configured to verify the signature(s) of local packages
prior to installation. To configure yum to verify signatures of local
packages, set the localpkg_gpgcheck to 1 in /etc/yum.conf. |
| Rationale | Changes to any software components can have significant effects to the overall security
of the operating system. This requirement ensures the software has not been tampered and
has been provided by a trusted vendor.
Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization. |
check value of localpkg_gpgcheck in /etc/yum.conf oval:ssg-test_yum_ensure_gpgcheck_local_packages:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_yum_ensure_gpgcheck_local_packages:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/yum.conf | ^\s*localpkg_gpgcheck\s*=\s*(1|True|yes)\s*$ | 1 |
Ensure gpgcheck Enabled for All yum Package Repositories
| Rule ID | xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-ensure_gpgcheck_never_disabled:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | high |
| Identifiers and References | References: BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, 6.3.3, SRG-OS-000366-GPOS-00153, OL08-00-010370, SV-248574r877463_rule |
| Description | To ensure signature checking is not disabled for
any repos, remove any lines from files in /etc/yum.repos.d of the form:
gpgcheck=0 |
| Rationale | Verifying the authenticity of the software prior to installation validates
the integrity of the patch or upgrade received from a vendor. This ensures
the software has not been tampered with and that it has been provided by a
trusted vendor. Self-signed certificates are disallowed by this
requirement. Certificates used to verify the software must be from an
approved Certificate Authority (CA)." |
check for existence of gpgcheck=0 in /etc/yum.repos.d/ files oval:ssg-test_ensure_gpgcheck_never_disabled:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_ensure_gpgcheck_never_disabled:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|---|---|---|
| /etc/yum.repos.d | .* | ^\s*gpgcheck\s*=\s*0\s*$ | 1 |
Ensure Oracle Linux GPG Key Installed
| Rule ID | xccdf_org.ssgproject.content_rule_ensure_oracle_gpgkey_installed |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-ensure_oracle_gpgkey_installed:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | high |
| Identifiers and References | References: 11, 2, 3, 9, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, CCI-001749, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, Req-6.2, OL08-00-010019, 1.2.2, SV-256978r902784_rule |
| Description | To ensure the system can cryptographically verify base software
packages come from Oracle (and to connect to the Unbreakable Linux Network to
receive them), the Oracle GPG key must properly be installed.
To install the Oracle GPG key, run:
$ sudo uln_registerIf the system is not connected to the Internet, then install the Oracle GPG key from trusted media such as the Oracle installation CD-ROM or DVD. Assuming the disc is mounted in /media/cdrom, use the following command as the root user to import
it into the keyring:
$ sudo rpm --import /media/cdrom/RPM-GPG-KEY-oracleAlternatively, the key may be pre-loaded during the Oracle installation. In such cases, the key can be installed by running the following command: sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-oracle |
| Rationale | Changes to software components can have significant effects on the
overall security of the operating system. This requirement ensures
the software has not been tampered with and that it has been provided
by a trusted vendor. The Oracle GPG key is necessary to
cryptographically verify packages are from Oracle. |
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
oraclelinux-release is version 8 oval:ssg-test_ol8_system:tst:1 true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| oraclelinux-release | x86_64 | 8 | 1.0.8.el8 | 8.9 | 8:8.9-1.0.8.el8 | 82562ea9ad986da3 | oraclelinux-release-8:8.9-1.0.8.el8.x86_64 |
oraclelinux-release is version 8 oval:ssg-test_ol8_system:tst:1 true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| oraclelinux-release | x86_64 | 8 | 1.0.8.el8 | 8.9 | 8:8.9-1.0.8.el8 | 82562ea9ad986da3 | oraclelinux-release-8:8.9-1.0.8.el8.x86_64 |
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
Test installed OS is part of the unix family oval:ssg-test_unix_family:tst:1 true
Following items have been found on the system:
| Family |
|---|
| unix |
oraclelinux-release is version 8 oval:ssg-test_ol8_system:tst:1 true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| oraclelinux-release | x86_64 | 8 | 1.0.8.el8 | 8.9 | 8:8.9-1.0.8.el8 | 82562ea9ad986da3 | oraclelinux-release-8:8.9-1.0.8.el8.x86_64 |
oraclelinux-release is version 8 oval:ssg-test_ol8_system:tst:1 true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| oraclelinux-release | x86_64 | 8 | 1.0.8.el8 | 8.9 | 8:8.9-1.0.8.el8 | 82562ea9ad986da3 | oraclelinux-release-8:8.9-1.0.8.el8.x86_64 |
Oracle release key package is installed oval:ssg-test_package_gpgkey-ad986da3-5cabf60d_installed:tst:1 true
Following items have been found on the system:
| Name | Arch | Epoch | Release | Version | Evr | Signature keyid | Extended name |
|---|---|---|---|---|---|---|---|
| gpg-pubkey | (none) | (none) | 5cabf60d | ad986da3 | 0:ad986da3-5cabf60d | 0 | gpg-pubkey-0:ad986da3-5cabf60d.(none) |
Ensure Software Patches Installed
| Rule ID | xccdf_org.ssgproject.content_rule_security_patches_up_to_date |
| Result | notchecked |
| Multi-check rule | yes |
| OVAL Definition ID | |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R08), 18, 20, 4, 5.10.4.1, APO12.01, APO12.02, APO12.03, APO12.04, BAI03.10, DSS05.01, DSS05.02, CCI-000366, CCI-001227, 4.2.3, 4.2.3.12, 4.2.3.7, 4.2.3.9, A.12.6.1, A.14.2.3, A.16.1.3, A.18.2.2, A.18.2.3, SI-2(5), SI-2(c), CM-6(a), ID.RA-1, PR.IP-12, FMT_MOF_EXT.1, Req-6.2, 6.3.3, SRG-OS-000480-GPOS-00227, OL08-00-010010, SV-248523r779135_rule |
| Description |
If the system is joined to the ULN
or a yum server, run the following command to install updates:
$ sudo yum updateIf the system is not configured to use one of these sources, updates (in the form of RPM packages) can be manually downloaded from the ULN and installed using rpm.
NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy dictates. |
| Rationale | Installing software updates is a fundamental mitigation against
the exploitation of publicly-known vulnerabilities. If the most
recent security patches and updates are not installed, unauthorized
users may take advantage of weaknesses in the unpatched software. The
lack of prompt attention to patching could result in a system compromise. |
| Warnings | warning
The OVAL feed of Oracle Linux 8 is not a XML file, which may not be understood by all scanners. |
An SELinux Context must be configured for the pam_faillock.so records directory
| Rule ID | xccdf_org.ssgproject.content_rule_account_password_selinux_faillock_dir |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000044, AC-7 (a), SRG-OS-000021-GPOS-00005, OL08-00-020027, SV-248669r853791_rule |
| Description | The dir configuration option in PAM pam_faillock.so module defines where the lockout
records is stored. The configured directory must have the correct SELinux context. |
| Rationale | Not having the correct SELinux context on the pam_faillock.so records directory may lead to
unauthorized access to the directory. |
Limit Password Reuse: password-auth
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_pam_pwhistory_remember_password_auth:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | low |
| Identifiers and References | References: 1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.8, CCI-000200, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(f), IA-5(1)(e), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.5, SRG-OS-000077-GPOS-00045, OL08-00-020220, SV-248698r902821_rule |
| Description | Do not allow users to reuse recent passwords. This can be accomplished by using the
remember option for the pam_pwhistory PAM module.
On systems with newer versions of authselect, the pam_pwhistory PAM module
can be enabled via authselect feature:
authselect enable-feature with-pwhistoryOtherwise, it should be enabled using an authselect custom profile. Newer systems also have the /etc/security/pwhistory.conf file for setting
pam_pwhistory module options. This file should be used whenever available.
Otherwise, the pam_pwhistory module options can be set in PAM files.
The value for remember option must be equal or greater than
5 |
| Rationale | Preventing re-use of previous passwords helps ensure that a compromised password is not
re-used by a user. |
| Warnings | warning
If the system relies on authselect tool to manage PAM settings, the remediation
will also use authselect tool. However, if any manual modification was made in
PAM files, the authselect integrity check will fail and the remediation will be
aborted in order to preserve intentional changes. In this case, an informative message will
be shown in the remediation report.warning
Newer versions of authselect contain an authselect feature to easily and properly
enable pam_pwhistory.so module. If this feature is not yet available in your
system, an authselect custom profile must be used to avoid integrity issues in PAM files.
If a custom profile was created and used in the system before this authselect feature was
available, the new feature can't be used with this custom profile and the
remediation will fail. In this case, the custom profile should be recreated or manually
updated. |
Check pam_pwhistory.so presence in /etc/pam.d/password-auth oval:ssg-test_accounts_password_pam_pwhistory_remember_password_auth:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_password_pam_pwhistory_remember_password_auth:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance | |||||
|---|---|---|---|---|---|---|---|
| /etc/pam.d/password-auth | 1 |
Check remember parameter is present and correct in /etc/pam.d/password-auth oval:ssg-test_accounts_password_pam_pwhistory_remember_password_auth_pamd:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_password_pam_pwhistory_remember_password_auth_pamd:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance | ||
|---|---|---|---|---|
| /etc/pam.d/password-auth | 1 |
Check the absence of remember parameter in /etc/security/pwhistory.conf oval:ssg-test_accounts_password_pam_pwhistory_remember_password_auth_no_pwhistory_conf:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_password_pam_pwhistory_remember_password_auth_param_conf:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^\s*remember\s*=\s*([0-9]+) | ^/etc/security/pwhistory.conf$ | 1 |
Check remember parameter is absent in /etc/pam.d/password-auth oval:ssg-test_accounts_password_pam_pwhistory_remember_password_auth_no_pamd:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_password_pam_pwhistory_remember_password_auth_pamd:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^\s*password\b.*\bpam_pwhistory\.so\b.*\bremember=([0-9]*).*$ | /etc/pam.d/password-auth | 1 |
Check remember parameter is present and correct in /etc/security/pwhistory.conf oval:ssg-test_accounts_password_pam_pwhistory_remember_password_auth_pwhistory_conf:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_password_pam_pwhistory_remember_password_auth_param_conf:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance | ||
|---|---|---|---|---|
| ^/etc/security/pwhistory.conf$ | 1 |
Limit Password Reuse: system-auth
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_pam_pwhistory_remember_system_auth:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: 1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.8, CCI-000200, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(f), IA-5(1)(e), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.5, SRG-OS-000077-GPOS-00045, OL08-00-020221, SV-252661r902824_rule |
| Description | Do not allow users to reuse recent passwords. This can be accomplished by using the
remember option for the pam_pwhistory PAM module.
On systems with newer versions of authselect, the pam_pwhistory PAM module
can be enabled via authselect feature:
authselect enable-feature with-pwhistoryOtherwise, it should be enabled using an authselect custom profile. Newer systems also have the /etc/security/pwhistory.conf file for setting
pam_pwhistory module options. This file should be used whenever available.
Otherwise, the pam_pwhistory module options can be set in PAM files.
The value for remember option must be equal or greater than
5 |
| Rationale | Preventing re-use of previous passwords helps ensure that a compromised password is not
re-used by a user. |
| Warnings | warning
If the system relies on authselect tool to manage PAM settings, the remediation
will also use authselect tool. However, if any manual modification was made in
PAM files, the authselect integrity check will fail and the remediation will be
aborted in order to preserve intentional changes. In this case, an informative message will
be shown in the remediation report.warning
Newer versions of authselect contain an authselect feature to easily and properly
enable pam_pwhistory.so module. If this feature is not yet available in your
system, an authselect custom profile must be used to avoid integrity issues in PAM files. |
Check pam_pwhistory.so presence in /etc/pam.d/system-auth oval:ssg-test_accounts_password_pam_pwhistory_remember_system_auth:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_password_pam_pwhistory_remember_system_auth:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance | |||||
|---|---|---|---|---|---|---|---|
| /etc/pam.d/system-auth | 1 |
Check remember parameter is present and correct in /etc/pam.d/system-auth oval:ssg-test_accounts_password_pam_pwhistory_remember_system_auth_pamd:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_password_pam_pwhistory_remember_system_auth_pamd:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance | ||
|---|---|---|---|---|
| /etc/pam.d/system-auth | 1 |
Check the absence of remember parameter in /etc/security/pwhistory.conf oval:ssg-test_accounts_password_pam_pwhistory_remember_system_auth_no_pwhistory_conf:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_password_pam_pwhistory_remember_system_auth_param_conf:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^\s*remember\s*=\s*([0-9]+) | ^/etc/security/pwhistory.conf$ | 1 |
Check remember parameter is absent in /etc/pam.d/system-auth oval:ssg-test_accounts_password_pam_pwhistory_remember_system_auth_no_pamd:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_password_pam_pwhistory_remember_system_auth_pamd:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^\s*password\b.*\bpam_pwhistory\.so\b.*\bremember=([0-9]*).*$ | /etc/pam.d/system-auth | 1 |
Check remember parameter is present and correct in /etc/security/pwhistory.conf oval:ssg-test_accounts_password_pam_pwhistory_remember_system_auth_pwhistory_conf:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_password_pam_pwhistory_remember_system_auth_param_conf:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance | ||
|---|---|---|---|---|
| ^/etc/security/pwhistory.conf$ | 1 |
Account Lockouts Must Be Logged
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_audit |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_passwords_pam_faillock_audit:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000044, AC-7 (a), SRG-OS-000021-GPOS-00005, OL08-00-020021, SV-248663r853786_rule |
| Description | PAM faillock locks an account due to excessive password failures, this event must be logged. |
| Rationale | Without auditing of these events it may be harder or impossible to identify what an attacker did after an attack. |
Check the presence of audit parameter in system-auth oval:ssg-test_pam_faillock_audit_parameter_system_auth:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_all_pam_faillock_audit_parameter_system_auth:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*auth[\s]+(?:required|requisite)[\s]+pam_faillock.so[^\n#]preauth[^\n#]*audit | /etc/pam.d/system-auth | 1 |
Check the presence of audit parameter in password-auth oval:ssg-test_pam_faillock_audit_parameter_password_auth:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_all_pam_faillock_audit_parameter_password_auth:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*auth[\s]+(?:required|requisite)[\s]+pam_faillock.so[^\n#]preauth[^\n#]*audit | /etc/pam.d/password-auth | 1 |
Check the absence of audit parameter in /etc/security/faillock.conf oval:ssg-test_pam_faillock_audit_parameter_no_faillock_conf:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_pam_faillock_audit_parameter_faillock_conf:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/security/faillock.conf | ^\s*audit | 1 |
Check the absence of audit parameter in system-auth oval:ssg-test_pam_faillock_audit_parameter_no_pamd_system:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_all_pam_faillock_audit_parameter_system_auth:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*auth[\s]+(?:required|requisite)[\s]+pam_faillock.so[^\n#]preauth[^\n#]*audit | /etc/pam.d/system-auth | 1 |
Check the absence of audit parameter in password-auth oval:ssg-test_pam_faillock_audit_parameter_no_pamd_password:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_all_pam_faillock_audit_parameter_password_auth:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*auth[\s]+(?:required|requisite)[\s]+pam_faillock.so[^\n#]preauth[^\n#]*audit | /etc/pam.d/password-auth | 1 |
Check the expected audit value in in /etc/security/faillock.conf oval:ssg-test_pam_faillock_audit_parameter_faillock_conf:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_pam_faillock_audit_parameter_faillock_conf:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/security/faillock.conf | ^\s*audit | 1 |
Lock Accounts After Failed Password Attempts
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_passwords_pam_faillock_deny:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R18), 1, 12, 15, 16, 5.5.3, DSS05.04, DSS05.10, DSS06.10, 3.1.8, CCI-000044, CCI-002236, CCI-002237, CCI-002238, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(a), PR.AC-7, FIA_AFL.1, Req-8.1.6, 8.3.4, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, OL08-00-020010, SV-248652r853775_rule |
| Description | This rule configures the system to lock out accounts after a number of incorrect login attempts
using pam_faillock.so.
pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
defined to work as expected.
Ensure that the file /etc/security/faillock.conf contains the following entry:
deny = <count>
Where count should be less than or equal to
3 and greater than 0.
In order to avoid errors when manually editing these files, it is
recommended to use the appropriate tools, such as authselect or authconfig,
depending on the OS version. |
| Rationale | By limiting the number of failed logon attempts, the risk of unauthorized system access via
user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking
the account. |
| Warnings | warning
If the system relies on authselect tool to manage PAM settings, the remediation
will also use authselect tool. However, if any manual modification was made in
PAM files, the authselect integrity check will fail and the remediation will be
aborted in order to preserve intentional changes. In this case, an informative message will
be shown in the remediation report.
If the system supports the /etc/security/faillock.conf file, the pam_faillock
parameters should be defined in faillock.conf file. |
No more than one pam_unix.so is expected in auth section of system-auth oval:ssg-test_accounts_passwords_pam_faillock_deny_system_pam_unix_auth:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_system_pam_unix_auth:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*auth\N+pam_unix\.so | ^/etc/pam.d/system-auth$ | 1 |
No more than one pam_unix.so is expected in auth section of password-auth oval:ssg-test_accounts_passwords_pam_faillock_deny_password_pam_unix_auth:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_password_pam_unix_auth:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*auth\N+pam_unix\.so | ^/etc/pam.d/password-auth$ | 1 |
One and only one occurrence is expected in auth section of system-auth oval:ssg-test_accounts_passwords_pam_faillock_deny_system_pam_faillock_auth:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_system_pam_faillock_auth:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail | ^/etc/pam.d/system-auth$ | 1 |
One and only one occurrence is expected in auth section of system-auth oval:ssg-test_accounts_passwords_pam_faillock_deny_system_pam_faillock_account:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_system_pam_faillock_account:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so | ^/etc/pam.d/system-auth$ | 1 |
One and only one occurrence is expected in auth section of password-auth oval:ssg-test_accounts_passwords_pam_faillock_deny_password_pam_faillock_auth:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_password_pam_faillock_auth:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail | ^/etc/pam.d/password-auth$ | 1 |
One and only one occurrence is expected in auth section of password-auth oval:ssg-test_accounts_passwords_pam_faillock_deny_password_pam_faillock_account:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_password_pam_faillock_account:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so | ^/etc/pam.d/password-auth$ | 1 |
Check the expected deny value in system-auth oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_pamd_system:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_parameter_pamd_system:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance | ||
|---|---|---|---|---|
| ^/etc/pam.d/system-auth$ | 1 |
Check the expected deny value in password-auth oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_pamd_password:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_parameter_pamd_password:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance | ||
|---|---|---|---|---|
| ^/etc/pam.d/password-auth$ | 1 |
Check the absence of deny parameter in /etc/security/faillock.conf oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_no_faillock_conf:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_parameter_faillock_conf:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*deny[\s]*=[\s]*([0-9]+) | ^/etc/security/faillock.conf$ | 1 |
Check the absence of deny parameter in system-auth oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_no_pamd_system:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_parameter_pamd_system:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*deny=([0-9]+) | ^/etc/pam.d/system-auth$ | 1 |
Check the absence of deny parameter in password-auth oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_no_pamd_password:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_parameter_pamd_password:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*deny=([0-9]+) | ^/etc/pam.d/password-auth$ | 1 |
Check the expected deny value in in /etc/security/faillock.conf oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_faillock_conf:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_parameter_faillock_conf:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance | ||
|---|---|---|---|---|
| ^/etc/security/faillock.conf$ | 1 |
Configure the root Account for Failed Password Attempts
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_passwords_pam_faillock_deny_root:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R18), 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, CCI-002238, CCI-000044, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(b), IA-5(c), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, OL08-00-020022, SV-248664r853787_rule |
| Description | This rule configures the system to lock out the root account after a number of
incorrect login attempts using pam_faillock.so.
pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
defined to work as expected. In order to avoid errors when manually editing these files, it is
recommended to use the appropriate tools, such as authselect or authconfig,
depending on the OS version. |
| Rationale | By limiting the number of failed logon attempts, the risk of unauthorized system access via
user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking
the account. |
| Warnings | warning
If the system relies on authselect tool to manage PAM settings, the remediation
will also use authselect tool. However, if any manual modification was made in
PAM files, the authselect integrity check will fail and the remediation will be
aborted in order to preserve intentional changes. In this case, an informative message will
be shown in the remediation report.
If the system supports the /etc/security/faillock.conf file, the pam_faillock
parameters should be defined in faillock.conf file. |
No more than one pam_unix.so is expected in auth section of system-auth oval:ssg-test_accounts_passwords_pam_faillock_deny_root_system_pam_unix_auth:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_root_system_pam_unix_auth:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*auth\N+pam_unix\.so | ^/etc/pam.d/system-auth$ | 1 |
No more than one pam_unix.so is expected in auth section of password-auth oval:ssg-test_accounts_passwords_pam_faillock_deny_root_password_pam_unix_auth:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_root_password_pam_unix_auth:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*auth\N+pam_unix\.so | ^/etc/pam.d/password-auth$ | 1 |
One and only one pattern occurrence is expected in auth section of system-auth oval:ssg-test_accounts_passwords_pam_faillock_deny_root_system_pam_faillock_auth:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_root_system_pam_faillock_auth:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail | ^/etc/pam.d/system-auth$ | 1 |
One and only one pattern occurrence is expected in account section of system-auth oval:ssg-test_accounts_passwords_pam_faillock_deny_root_system_pam_faillock_account:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_root_system_pam_faillock_account:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so | ^/etc/pam.d/system-auth$ | 1 |
One and only one pattern occurrence is expected in auth section of system-auth oval:ssg-test_accounts_passwords_pam_faillock_deny_root_password_pam_faillock_auth:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_root_password_pam_faillock_auth:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail | ^/etc/pam.d/password-auth$ | 1 |
One and only one pattern occurrence is expected in account section of password-auth oval:ssg-test_accounts_passwords_pam_faillock_deny_root_password_pam_faillock_account:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_root_password_pam_faillock_account:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so | ^/etc/pam.d/password-auth$ | 1 |
Check the expected even_deny_root parameter in system-auth oval:ssg-test_accounts_passwords_pam_faillock_deny_root_parameter_pamd_system:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_root_parameter_pamd_system:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*even_deny_root | ^/etc/pam.d/system-auth$ | 1 |
Check the expected even_deny_root parameter in password-auth oval:ssg-test_accounts_passwords_pam_faillock_deny_root_parameter_pamd_password:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_root_parameter_pamd_password:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*even_deny_root | ^/etc/pam.d/password-auth$ | 1 |
Check the absence of even_deny_root parameter in /etc/security/faillock.conf oval:ssg-test_accounts_passwords_pam_faillock_deny_root_parameter_no_faillock_conf:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_root_parameter_faillock_conf:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*even_deny_root | ^/etc/security/faillock.conf$ | 1 |
Check the absence of even_deny_root parameter in system-auth oval:ssg-test_accounts_passwords_pam_faillock_deny_root_parameter_no_pamd_system:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_root_parameter_pamd_system:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*even_deny_root | ^/etc/pam.d/system-auth$ | 1 |
Check the absence of even_deny_root parameter in password-auth oval:ssg-test_accounts_passwords_pam_faillock_deny_root_parameter_no_pamd_password:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_root_parameter_pamd_password:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*even_deny_root | ^/etc/pam.d/password-auth$ | 1 |
Check the expected even_deny_root parameter in /etc/security/faillock.conf oval:ssg-test_accounts_passwords_pam_faillock_deny_root_parameter_faillock_conf:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_root_parameter_faillock_conf:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*even_deny_root | ^/etc/security/faillock.conf$ | 1 |
Lock Accounts Must Persist
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_dir |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_passwords_pam_faillock_dir:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000044, CCI-002238, AC-7(b), AC-7(a), AC-7.1(ii), SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128, OL08-00-020016, SV-248658r853781_rule |
| Description | This rule ensures that the system lock out accounts using pam_faillock.so persist
after system reboot. From "pam_faillock" man pages:
Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable, a different tally directory must be set with the "dir" option.pam_faillock.so module requires multiple entries in pam files. These entries must be carefully defined to work as expected. In order to avoid errors when manually editing these files, it is recommended to use the appropriate tools, such as authselect or authconfig,
depending on the OS version.
The chosen profile expects the directory to be /var/log/faillock. |
| Rationale | Locking out user accounts after a number of incorrect attempts prevents direct password
guessing attacks. In combination with the silent option, user enumeration attacks
are also mitigated. |
| Warnings | warning
If the system relies on authselect tool to manage PAM settings, the remediation
will also use authselect tool. However, if any manual modification was made in
PAM files, the authselect integrity check will fail and the remediation will be
aborted in order to preserve intentional changes. In this case, an informative message will
be shown in the remediation report.
If the system supports the /etc/security/faillock.conf file, the pam_faillock
parameters should be defined in faillock.conf file. |
Check that the expected dir value in system-auth is present both with preauth and authfail oval:ssg-test_pam_faillock_dir_parameter_system_auth:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_pam_faillock_dir_parameter_system_auth:obj:1 of type variable_object
| Var ref |
|---|
| oval:ssg-var_faillock_dir_set_both_preauth_authfail_system_auth:var:1 |
Check that the expected dir value in password-auth is present both with preauth and authfail oval:ssg-test_pam_faillock_dir_parameter_password_auth:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_pam_faillock_dir_parameter_password_auth:obj:1 of type variable_object
| Var ref |
|---|
| oval:ssg-var_faillock_dir_set_both_preauth_authfail_password_auth:var:1 |
Check the absence of dir parameter in /etc/security/faillock.conf oval:ssg-test_pam_faillock_dir_parameter_no_faillock_conf:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_pam_faillock_dir_parameter_faillock_conf:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance | ||
|---|---|---|---|---|
| /etc/security/faillock.conf | 1 |
Check the absence of dir parameter in system-auth oval:ssg-test_pam_faillock_dir_parameter_no_pamd_system:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_all_pam_faillock_dir_parameter_system_auth:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance | Filter | ||
|---|---|---|---|---|---|
| /etc/pam.d/system-auth | 1 | oval:ssg-state_pam_faillock_dir_parameter_not_default_value:ste:1 |
Check the absence of dir parameter in password-auth oval:ssg-test_pam_faillock_dir_parameter_no_pamd_password:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_all_pam_faillock_dir_parameter_password_auth:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance | Filter | ||
|---|---|---|---|---|---|
| /etc/pam.d/password-auth | 1 | oval:ssg-state_pam_faillock_dir_parameter_not_default_value:ste:1 |
Check the expected dir value in in /etc/security/faillock.conf oval:ssg-test_pam_faillock_dir_parameter_faillock_conf:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_pam_faillock_dir_parameter_faillock_conf:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance | ||
|---|---|---|---|---|
| /etc/security/faillock.conf | 1 |
Set Interval For Counting Failed Password Attempts
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_passwords_pam_faillock_interval:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R18), 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, CCI-000044, CCI-002236, CCI-002237, CCI-002238, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(a), PR.AC-7, FIA_AFL.1, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, OL08-00-020012, SV-248654r853777_rule |
| Description | Utilizing pam_faillock.so, the fail_interval directive configures the system
to lock out an account after a number of incorrect login attempts within a specified time
period.
Ensure that the file /etc/security/faillock.conf contains the following entry:
fail_interval = <interval-in-seconds> where interval-in-seconds is 900 or greater.
In order to avoid errors when manually editing these files, it is
recommended to use the appropriate tools, such as authselect or authconfig,
depending on the OS version. |
| Rationale | By limiting the number of failed logon attempts the risk of unauthorized system
access via user password guessing, otherwise known as brute-forcing, is reduced.
Limits are imposed by locking the account. |
| Warnings | warning
If the system relies on authselect tool to manage PAM settings, the remediation
will also use authselect tool. However, if any manual modification was made in
PAM files, the authselect integrity check will fail and the remediation will be
aborted in order to preserve intentional changes. In this case, an informative message will
be shown in the remediation report.
If the system supports the /etc/security/faillock.conf file, the pam_faillock
parameters should be defined in faillock.conf file. |
No more than one pam_unix.so is expected in auth section of system-auth oval:ssg-test_accounts_passwords_pam_faillock_interval_system_pam_unix_auth:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_interval_system_pam_unix_auth:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*auth\N+pam_unix\.so | ^/etc/pam.d/system-auth$ | 1 |
No more than one pam_unix.so is expected in auth section of password-auth oval:ssg-test_accounts_passwords_pam_faillock_interval_password_pam_unix_auth:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_interval_password_pam_unix_auth:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*auth\N+pam_unix\.so | ^/etc/pam.d/password-auth$ | 1 |
One and only one occurrence is expected in auth section of system-auth oval:ssg-test_accounts_passwords_pam_faillock_interval_system_pam_faillock_auth:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_interval_system_pam_faillock_auth:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail | ^/etc/pam.d/system-auth$ | 1 |
One and only one occurrence is expected in auth section of system-auth oval:ssg-test_accounts_passwords_pam_faillock_interval_system_pam_faillock_account:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_interval_system_pam_faillock_account:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so | ^/etc/pam.d/system-auth$ | 1 |
One and only one occurrence is expected in auth section of password-auth oval:ssg-test_accounts_passwords_pam_faillock_interval_password_pam_faillock_auth:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_interval_password_pam_faillock_auth:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail | ^/etc/pam.d/password-auth$ | 1 |
One and only one occurrence is expected in auth section of password-auth oval:ssg-test_accounts_passwords_pam_faillock_interval_password_pam_faillock_account:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_interval_password_pam_faillock_account:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so | ^/etc/pam.d/password-auth$ | 1 |
Check the expected fail_interval value in system-auth oval:ssg-test_accounts_passwords_pam_faillock_interval_parameter_pamd_system:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_interval_parameter_pamd_system:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance | ||
|---|---|---|---|---|
| ^/etc/pam.d/system-auth$ | 1 |
Check the expected fail_interval value in password-auth oval:ssg-test_accounts_passwords_pam_faillock_interval_parameter_pamd_password:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_interval_parameter_pamd_password:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance | ||
|---|---|---|---|---|
| ^/etc/pam.d/password-auth$ | 1 |
Check the absence of fail_interval parameter in /etc/security/faillock.conf oval:ssg-test_accounts_passwords_pam_faillock_interval_parameter_no_faillock_conf:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_interval_parameter_faillock_conf:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*fail_interval[\s]*=[\s]*([0-9]+) | ^/etc/security/faillock.conf$ | 1 |
Check the absence of fail_interval parameter in system-auth oval:ssg-test_accounts_passwords_pam_faillock_interval_parameter_no_pamd_system:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_interval_parameter_pamd_system:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*fail_interval=([0-9]+) | ^/etc/pam.d/system-auth$ | 1 |
Check the absence of fail_interval parameter in password-auth oval:ssg-test_accounts_passwords_pam_faillock_interval_parameter_no_pamd_password:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_interval_parameter_pamd_password:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*fail_interval=([0-9]+) | ^/etc/pam.d/password-auth$ | 1 |
Check the expected fail_interval value in in /etc/security/faillock.conf oval:ssg-test_accounts_passwords_pam_faillock_interval_parameter_faillock_conf:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_interval_parameter_faillock_conf:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance | ||
|---|---|---|---|---|
| ^/etc/security/faillock.conf$ | 1 |
Do Not Show System Messages When Unsuccessful Logon Attempts Occur
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_silent |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_passwords_pam_faillock_silent:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-002238, CCI-000044, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, OL08-00-020019, SV-248661r853784_rule |
| Description | This rule ensures the system prevents informative messages from being presented to the user
pertaining to logon information after a number of incorrect login attempts using
pam_faillock.so.
pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
defined to work as expected. In order to avoid errors when manually editing these files, it is
recommended to use the appropriate tools, such as authselect or authconfig,
depending on the OS version. |
| Rationale | The pam_faillock module without the silent option will leak information about the existence or
non-existence of a user account in the system because the failures are not recorded for unknown
users. The message about the user account being locked is never displayed for non-existing user
accounts allowing the adversary to infer that a particular account exists or not on the system. |
| Warnings | warning
If the system relies on authselect tool to manage PAM settings, the remediation
will also use authselect tool. However, if any manual modification was made in
PAM files, the authselect integrity check will fail and the remediation will be
aborted in order to preserve intentional changes. In this case, an informative message will
be shown in the remediation report.
If the system supports the /etc/security/faillock.conf file, the pam_faillock
parameters should be defined in faillock.conf file. |
Check the presence of silent parameter in system-auth oval:ssg-test_pam_faillock_silent_parameter_system_auth:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_all_pam_faillock_silent_parameter_system_auth:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*auth[\s]+(?:required|requisite)[\s]+pam_faillock.so[^\n#]+preauth[^\n#]+silent | /etc/pam.d/system-auth | 1 |
Check the presence of silent parameter in password-auth oval:ssg-test_pam_faillock_silent_parameter_password_auth:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_all_pam_faillock_silent_parameter_password_auth:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*auth[\s]+(?:required|requisite)[\s]+pam_faillock.so[^\n#]+preauth[^\n#]+silent | /etc/pam.d/password-auth | 1 |
Check the absence of silent parameter in system-auth oval:ssg-test_pam_faillock_silent_parameter_no_pamd_system:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_all_pam_faillock_silent_parameter_system_auth:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*auth[\s]+(?:required|requisite)[\s]+pam_faillock.so[^\n#]+preauth[^\n#]+silent | /etc/pam.d/system-auth | 1 |
Check the absence of silent parameter in password-auth oval:ssg-test_pam_faillock_silent_parameter_no_pamd_password:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_all_pam_faillock_silent_parameter_password_auth:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*auth[\s]+(?:required|requisite)[\s]+pam_faillock.so[^\n#]+preauth[^\n#]+silent | /etc/pam.d/password-auth | 1 |
Check the expected silent value in in /etc/security/faillock.conf oval:ssg-test_pam_faillock_silent_parameter_faillock_conf:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_pam_faillock_silent_parameter_faillock_conf:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/security/faillock.conf | ^\s*silent | 1 |
Set Lockout Time for Failed Password Attempts
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R18), 1, 12, 15, 16, 5.5.3, DSS05.04, DSS05.10, DSS06.10, 3.1.8, CCI-000044, CCI-002236, CCI-002237, CCI-002238, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(b), PR.AC-7, FIA_AFL.1, Req-8.1.7, 8.3.4, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, OL08-00-020014, SV-248656r853779_rule |
| Description | This rule configures the system to lock out accounts during a specified time period after a
number of incorrect login attempts using pam_faillock.so.
Ensure that the file /etc/security/faillock.conf contains the following entry:
unlock_time=<interval-in-seconds> where
interval-in-seconds is 0 or greater.
pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
defined to work as expected. In order to avoid any errors when manually editing these files,
it is recommended to use the appropriate tools, such as authselect or authconfig,
depending on the OS version.
If unlock_time is set to 0, manual intervention by an administrator is required
to unlock a user. This should be done using the faillock tool. |
| Rationale | By limiting the number of failed logon attempts the risk of unauthorized system
access via user password guessing, otherwise known as brute-forcing, is reduced.
Limits are imposed by locking the account. |
| Warnings | warning
If the system supports the new /etc/security/faillock.conf file but the
pam_faillock.so parameters are defined directly in /etc/pam.d/system-auth and
/etc/pam.d/password-auth, the remediation will migrate the unlock_time parameter
to /etc/security/faillock.conf to ensure compatibility with authselect tool.
The parameters deny and fail_interval, if used, also have to be migrated
by their respective remediation.warning
If the system relies on authselect tool to manage PAM settings, the remediation
will also use authselect tool. However, if any manual modification was made in
PAM files, the authselect integrity check will fail and the remediation will be
aborted in order to preserve intentional changes. In this case, an informative message will
be shown in the remediation report.
If the system supports the /etc/security/faillock.conf file, the pam_faillock
parameters should be defined in faillock.conf file. |
No more than one pam_unix.so is expected in auth section of system-auth oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_system_pam_unix_auth:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_system_pam_unix_auth:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*auth\N+pam_unix\.so | ^/etc/pam.d/system-auth$ | 1 |
No more than one pam_unix.so is expected in auth section of password-auth oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_password_pam_unix_auth:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_password_pam_unix_auth:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*auth\N+pam_unix\.so | ^/etc/pam.d/password-auth$ | 1 |
One and only one occurrence is expected in auth section of system-auth oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_auth:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_auth:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail | ^/etc/pam.d/system-auth$ | 1 |
One and only one occurrence is expected in auth section of system-auth oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_account:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_account:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so | ^/etc/pam.d/system-auth$ | 1 |
One and only one occurrence is expected in auth section of password-auth oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_auth:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_auth:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+preauth[\s\S]*^[\s]*auth[\s]+(sufficient|\[(?=.*\bsuccess=done\b)(?=.*?\bnew_authtok_reqd=done\b)(?=.*?\bdefault=ignore\b).*\])[\s]+pam_unix\.so[\s\S]*^[\s]*auth[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\w\d=]+authfail | ^/etc/pam.d/password-auth$ | 1 |
One and only one occurrence is expected in auth section of password-auth oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_account:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_account:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_faillock\.so[\s\S]*^[\s]*account[\s]+(required|\[(?=.*?\bsuccess=ok\b)(?=.*?\bnew_authtok_reqd=ok\b)(?=.*?\bignore=ignore\b)(?=.*?\bdefault=bad\b).*\])[\s]+pam_unix\.so | ^/etc/pam.d/password-auth$ | 1 |
Check the expected unlock_time value in system-auth oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_system:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_system:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance | ||
|---|---|---|---|---|
| ^/etc/pam.d/system-auth$ | 1 |
Check the expected unlock_time value in password-auth oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_password:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_password:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance | ||
|---|---|---|---|---|
| ^/etc/pam.d/password-auth$ | 1 |
Check the absence of unlock_time parameter in /etc/security/faillock.conf oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_no_faillock_conf:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_parameter_faillock_conf:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*unlock_time[\s]*=[\s]*([0-9]+) | ^/etc/security/faillock.conf$ | 1 |
Check the absence of unlock_time parameter in system-auth oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_no_pamd_system:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_system:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*unlock_time=([0-9]+) | ^/etc/pam.d/system-auth$ | 1 |
Check the absence of unlock_time parameter in password-auth oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_no_pamd_password:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_password:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*unlock_time=([0-9]+) | ^/etc/pam.d/password-auth$ | 1 |
Check the expected unlock_time value in in /etc/security/faillock.conf oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_faillock_conf:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_parameter_faillock_conf:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance | ||
|---|---|---|---|---|
| ^/etc/security/faillock.conf$ | 1 |
Ensure PAM Enforces Password Requirements - Minimum Digit Characters
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_pam_dcredit:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | low |
| Identifiers and References | References: BP28(R18), 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000194, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_SMF_EXT.1, Req-8.2.3, 8.3.6, 8.3.9, SRG-OS-000071-GPOS-00039, OL08-00-020130, SV-248689r858635_rule |
| Description | The pam_pwquality module's dcredit parameter controls requirements for
usage of digits in a password. When set to a negative number, any password will be required to
contain that many digits. When set to a positive number, pam_pwquality will grant +1 additional
length credit for each digit. Modify the dcredit setting in
/etc/security/pwquality.conf to require the use of a digit in passwords. |
| Rationale | Use of a complex password helps to increase the time and resources required
to compromise the password. Password complexity, or strength, is a measure of
the effectiveness of a password in resisting attempts at guessing and brute-force
attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring digits makes password guessing attacks more difficult by ensuring a larger search space. |
check the configuration of /etc/pam.d/system-auth oval:ssg-test_password_pam_pwquality:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/pam.d/system-auth | password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= |
check the configuration of /etc/security/pwquality.conf oval:ssg-test_password_pam_pwquality_dcredit:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_dcredit:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^/etc/security/pwquality\.conf(\.d/[^/]+\.conf)?$ | ^\s*dcredit[\s]*=[\s]*(-?\d+)(?:[\s]|$) | 1 |
check the configuration of /etc/pam.d/system-auth doens't override pwquality.conf oval:ssg-test_password_pam_pwquality_dcredit_not_overwritten:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_dcredit_not_overwritten:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/pam.d/system-auth | ^\s*password.*pam_pwquality\.so.*\bdcredit\b | 1 |
Ensure PAM Enforces Password Requirements - Prevent the Use of Dictionary Words
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_dictcheck |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_pam_dictcheck:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000366, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), SRG-OS-000480-GPOS-00225, OL08-00-020300, SV-248711r858649_rule |
| Description | The pam_pwquality module's dictcheck check if passwords contains dictionary words. When
dictcheck is set to 1 passwords will be checked for dictionary words. |
| Rationale | Use of a complex password helps to increase the time and resources required to compromise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at
guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Passwords with dictionary words may be more vulnerable to password-guessing attacks. |
check the configuration of /etc/pam.d/system-auth oval:ssg-test_password_pam_pwquality:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/pam.d/system-auth | password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= |
check the configuration of /etc/security/pwquality.conf oval:ssg-test_password_pam_pwquality_dictcheck:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_dictcheck:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^/etc/security/pwquality\.conf(\.d/[^/]+\.conf)?$ | ^\s*dictcheck[\s]*=[\s]*(-?\d+)(?:[\s]|$) | 1 |
check the configuration of /etc/pam.d/system-auth doens't override pwquality.conf oval:ssg-test_password_pam_pwquality_dictcheck_not_overwritten:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_dictcheck_not_overwritten:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/pam.d/system-auth | ^\s*password.*pam_pwquality\.so.*\bdictcheck\b | 1 |
Ensure PAM Enforces Password Requirements - Minimum Different Characters
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_difok |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_pam_difok:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | low |
| Identifiers and References | References: 1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000195, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(b), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000072-GPOS-00040, OL08-00-020170, SV-248693r858643_rule |
| Description | The pam_pwquality module's difok parameter sets the number of characters
in a password that must not be present in and old password during a password change.
Modify the difok setting in /etc/security/pwquality.conf
to equal 8 to require differing characters
when changing passwords. |
| Rationale | Use of a complex password helps to increase the time and resources
required to compromise the password. Password complexity, or strength,
is a measure of the effectiveness of a password in resisting attempts
at guessing and brute–force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring a minimum number of different characters during password changes ensures that newly changed passwords should not resemble previously compromised ones. Note that passwords which are changed on compromised systems will still be compromised, however. |
check the configuration of /etc/pam.d/system-auth oval:ssg-test_password_pam_pwquality:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/pam.d/system-auth | password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= |
check the configuration of /etc/security/pwquality.conf oval:ssg-test_password_pam_pwquality_difok:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_difok:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^/etc/security/pwquality\.conf(\.d/[^/]+\.conf)?$ | ^\s*difok[\s]*=[\s]*(-?\d+)(?:[\s]|$) | 1 |
check the configuration of /etc/pam.d/system-auth doens't override pwquality.conf oval:ssg-test_password_pam_pwquality_difok_not_overwritten:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_difok_not_overwritten:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/pam.d/system-auth | ^\s*password.*pam_pwquality\.so.*\bdifok\b | 1 |
Ensure PAM Enforces Password Requirements - Minimum Lowercase Characters
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_pam_lcredit:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | low |
| Identifiers and References | References: BP28(R18), 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000193, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_SMF_EXT.1, Req-8.2.3, 8.3.6, 8.3.9, SRG-OS-000070-GPOS-00038, OL08-00-020120, SV-248688r858633_rule |
| Description | The pam_pwquality module's lcredit parameter controls requirements for
usage of lowercase letters in a password. When set to a negative number, any password will be required to
contain that many lowercase characters. When set to a positive number, pam_pwquality will grant +1 additional
length credit for each lowercase character. Modify the lcredit setting in
/etc/security/pwquality.conf to require the use of a lowercase character in passwords. |
| Rationale | Use of a complex password helps to increase the time and resources required
to compromise the password. Password complexity, or strength, is a measure of
the effectiveness of a password in resisting attempts at guessing and brute-force
attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possble combinations that need to be tested before the password is compromised. Requiring a minimum number of lowercase characters makes password guessing attacks more difficult by ensuring a larger search space. |
check the configuration of /etc/pam.d/system-auth oval:ssg-test_password_pam_pwquality:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/pam.d/system-auth | password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= |
check the configuration of /etc/security/pwquality.conf oval:ssg-test_password_pam_pwquality_lcredit:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_lcredit:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^/etc/security/pwquality\.conf(\.d/[^/]+\.conf)?$ | ^\s*lcredit[\s]*=[\s]*(-?\d+)(?:[\s]|$) | 1 |
check the configuration of /etc/pam.d/system-auth doens't override pwquality.conf oval:ssg-test_password_pam_pwquality_lcredit_not_overwritten:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_lcredit_not_overwritten:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/pam.d/system-auth | ^\s*password.*pam_pwquality\.so.*\blcredit\b | 1 |
Ensure PAM Enforces Password Requirements - Maximum Consecutive Repeating Characters from Same Character Class
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_pam_maxclassrepeat:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000195, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000072-GPOS-00040, OL08-00-020140, SV-248690r858637_rule |
| Description | The pam_pwquality module's maxclassrepeat parameter controls requirements for
consecutive repeating characters from the same character class. When set to a positive number, it will reject passwords
which contain more than that number of consecutive characters from the same character class. Modify the
maxclassrepeat setting in /etc/security/pwquality.conf to equal 4
to prevent a run of (4 + 1) or more identical characters. |
| Rationale | Use of a complex password helps to increase the time and resources required to compromise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting
attempts at guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex a password, the greater the number of possible combinations that need to be tested before the password is compromised. |
check the configuration of /etc/pam.d/system-auth oval:ssg-test_password_pam_pwquality:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/pam.d/system-auth | password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= |
check the configuration of /etc/security/pwquality.conf oval:ssg-test_password_pam_pwquality_maxclassrepeat:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_maxclassrepeat:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^/etc/security/pwquality\.conf(\.d/[^/]+\.conf)?$ | ^\s*maxclassrepeat[\s]*=[\s]*(-?\d+)(?:[\s]|$) | 1 |
check the configuration of /etc/pam.d/system-auth doens't override pwquality.conf oval:ssg-test_password_pam_pwquality_maxclassrepeat_not_overwritten:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_maxclassrepeat_not_overwritten:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/pam.d/system-auth | ^\s*password.*pam_pwquality\.so.*\bmaxclassrepeat\b | 1 |
Set Password Maximum Consecutive Repeating Characters
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_pam_maxrepeat:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000195, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000072-GPOS-00040, OL08-00-020150, SV-248691r858639_rule |
| Description | The pam_pwquality module's maxrepeat parameter controls requirements for
consecutive repeating characters. When set to a positive number, it will reject passwords
which contain more than that number of consecutive characters. Modify the maxrepeat setting
in /etc/security/pwquality.conf to equal 3 to prevent a
run of (3 + 1) or more identical characters. |
| Rationale | Use of a complex password helps to increase the time and resources required to compromise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at
guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks. |
check the configuration of /etc/pam.d/system-auth oval:ssg-test_password_pam_pwquality:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/pam.d/system-auth | password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= |
check the configuration of /etc/security/pwquality.conf oval:ssg-test_password_pam_pwquality_maxrepeat:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_maxrepeat:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^/etc/security/pwquality\.conf(\.d/[^/]+\.conf)?$ | ^\s*maxrepeat[\s]*=[\s]*(-?\d+)(?:[\s]|$) | 1 |
check the configuration of /etc/pam.d/system-auth doens't override pwquality.conf oval:ssg-test_password_pam_pwquality_maxrepeat_not_overwritten:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_maxrepeat_not_overwritten:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/pam.d/system-auth | ^\s*password.*pam_pwquality\.so.*\bmaxrepeat\b | 1 |
Ensure PAM Enforces Password Requirements - Minimum Different Categories
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_pam_minclass:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000195, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000072-GPOS-00040, OL08-00-020160, SV-248692r858641_rule |
| Description | The pam_pwquality module's minclass parameter controls
requirements for usage of different character classes, or types, of character
that must exist in a password before it is considered valid. For example,
setting this value to three (3) requires that any password must have characters
from at least three different categories in order to be approved. The default
value is zero (0), meaning there are no required classes. There are four
categories available:
* Upper-case characters * Lower-case characters * Digits * Special characters (for example, punctuation)Modify the minclass setting in /etc/security/pwquality.conf entry
to require 4
differing categories of characters when changing passwords. |
| Rationale | Use of a complex password helps to increase the time and resources required to compromise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts
at guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring a minimum number of character categories makes password guessing attacks more difficult by ensuring a larger search space. |
check the configuration of /etc/pam.d/system-auth oval:ssg-test_password_pam_pwquality:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/pam.d/system-auth | password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= |
check the configuration of /etc/security/pwquality.conf oval:ssg-test_password_pam_pwquality_minclass:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_minclass:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^/etc/security/pwquality\.conf(\.d/[^/]+\.conf)?$ | ^\s*minclass[\s]*=[\s]*(-?\d+)(?:[\s]|$) | 1 |
check the configuration of /etc/pam.d/system-auth doens't override pwquality.conf oval:ssg-test_password_pam_pwquality_minclass_not_overwritten:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_minclass_not_overwritten:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/pam.d/system-auth | ^\s*password.*pam_pwquality\.so.*\bminclass\b | 1 |
Ensure PAM Enforces Password Requirements - Minimum Length
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_pam_minlen:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R18), 1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000205, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_SMF_EXT.1, Req-8.2.3, 8.3.6, 8.3.9, SRG-OS-000078-GPOS-00046, OL08-00-020230, SV-248699r858645_rule |
| Description | The pam_pwquality module's minlen parameter controls requirements for
minimum characters required in a password. Add minlen=15
after pam_pwquality to set minimum password length requirements. |
| Rationale | The shorter the password, the lower the number of possible combinations
that need to be tested before the password is compromised.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password. |
check the configuration of /etc/pam.d/system-auth oval:ssg-test_password_pam_pwquality:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/pam.d/system-auth | password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= |
check the configuration of /etc/security/pwquality.conf oval:ssg-test_password_pam_pwquality_minlen:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_minlen:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^/etc/security/pwquality\.conf(\.d/[^/]+\.conf)?$ | ^\s*minlen[\s]*=[\s]*(-?\d+)(?:[\s]|$) | 1 |
check the configuration of /etc/pam.d/system-auth doens't override pwquality.conf oval:ssg-test_password_pam_pwquality_minlen_not_overwritten:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_minlen_not_overwritten:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/pam.d/system-auth | ^\s*password.*pam_pwquality\.so.*\bminlen\b | 1 |
Ensure PAM Enforces Password Requirements - Minimum Special Characters
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_pam_ocredit:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | low |
| Identifiers and References | References: BP28(R18), 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-001619, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_SMF_EXT.1, SRG-OS-000266-GPOS-00101, OL08-00-020280, SV-248709r858647_rule |
| Description | The pam_pwquality module's ocredit= parameter controls requirements for
usage of special (or "other") characters in a password. When set to a negative number,
any password will be required to contain that many special characters.
When set to a positive number, pam_pwquality will grant +1
additional length credit for each special character. Modify the ocredit setting
in /etc/security/pwquality.conf to equal -1
to require use of a special character in passwords. |
| Rationale | Use of a complex password helps to increase the time and resources required
to compromise the password. Password complexity, or strength, is a measure of
the effectiveness of a password in resisting attempts at guessing and brute-force
attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space. |
check the configuration of /etc/pam.d/system-auth oval:ssg-test_password_pam_pwquality:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/pam.d/system-auth | password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= |
check the configuration of /etc/security/pwquality.conf oval:ssg-test_password_pam_pwquality_ocredit:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_ocredit:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^/etc/security/pwquality\.conf(\.d/[^/]+\.conf)?$ | ^\s*ocredit[\s]*=[\s]*(-?\d+)(?:[\s]|$) | 1 |
check the configuration of /etc/pam.d/system-auth doens't override pwquality.conf oval:ssg-test_password_pam_pwquality_ocredit_not_overwritten:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_ocredit_not_overwritten:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/pam.d/system-auth | ^\s*password.*pam_pwquality\.so.*\bocredit\b | 1 |
Ensure PAM password complexity module is enabled in password-auth
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_password_auth |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_pam_pwquality_password_auth:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000366, SRG-OS-000069-GPOS-00037, SRG-OS-000070-GPOS-00038, SRG-OS-000480-GPOS-00227, OL08-00-020100, SV-248686r902809_rule |
| Description | To enable PAM password complexity in password-auth file:
Edit the password section in
/etc/pam.d/password-auth to show
password requisite pam_pwquality.so. |
| Rationale | Enabling PAM password complexity permits to enforce strong passwords and consequently
makes the system less prone to dictionary attacks. |
check the configuration of /etc/pam.d/password-auth oval:ssg-test_accounts_password_pam_pwquality_password_auth:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/pam.d/password-auth | password requisite pam_pwquality.so |
Ensure PAM password complexity module is enabled in system-auth
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_pwquality_system_auth |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_pam_pwquality_system_auth:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000366, SRG-OS-000480-GPOS-00227, OL08-00-020101, SV-252657r902812_rule |
| Description | To enable PAM password complexity in system-auth file:
Edit the password section in
/etc/pam.d/system-auth to show
password requisite pam_pwquality.so. |
| Rationale | Enabling PAM password complexity permits to enforce strong passwords and consequently
makes the system less prone to dictionary attacks. |
check the configuration of /etc/pam.d/system-auth oval:ssg-test_accounts_password_pam_pwquality_system_auth:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/pam.d/system-auth | password requisite pam_pwquality.so |
Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_retry |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_pam_retry:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: 1, 11, 12, 15, 16, 3, 5, 9, 5.5.3, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000192, CCI-000366, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, PR.IP-1, FMT_MOF_EXT.1, SRG-OS-000069-GPOS-00037, SRG-OS-000480-GPOS-00227, OL08-00-020104, SV-252660r858600_rule |
| Description | To configure the number of retry prompts that are permitted per-session:
Edit the /etc/security/pwquality.conf to include
retry=3, or a lower value if site
policy is more restrictive. The DoD requirement is a maximum of 3 prompts
per session. |
| Rationale | Setting the password retry prompts that are permitted on a per-session basis to a low value
requires some software, such as SSH, to re-connect. This can slow down and
draw additional attention to some types of password-guessing attacks. Note that this
is different from account lockout, which is provided by the pam_faillock module. |
check the configuration of /etc/pam.d/password-auth oval:ssg-test_password_pam_pwquality_retry_password_auth:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/pam.d/password-auth | password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= |
check the configuration of /etc/pam.d/system-auth oval:ssg-test_password_pam_pwquality_retry_system_auth:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/pam.d/system-auth | password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= |
check the configuration of /etc/pam.d/password-auth oval:ssg-test_password_pam_pwquality_retry_password_auth_not_set:tst:1 false
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/pam.d/password-auth | password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= |
check the configuration of /etc/pam.d/system-auth oval:ssg-test_password_pam_pwquality_retry_system_auth_not_set:tst:1 false
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/pam.d/system-auth | password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= |
check the configuration of /etc/security/pwquality.conf oval:ssg-test_password_pam_pwquality_retry_pwquality_conf:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_retry_pwquality_conf:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/security/pwquality.conf | ^[\s]*retry[\s]*=[\s]*(\d+)(?:[\s]|$) | 1 |
Ensure PAM Enforces Password Requirements - Minimum Uppercase Characters
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_pam_ucredit:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | low |
| Identifiers and References | References: BP28(R18), 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000192, CCI-000193, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_SMF_EXT.1, Req-8.2.3, 8.3.6, 8.3.9, SRG-OS-000069-GPOS-00037, SRG-OS-000070-GPOS-00038, OL08-00-020110, SV-248687r858631_rule |
| Description | The pam_pwquality module's ucredit= parameter controls requirements for
usage of uppercase letters in a password. When set to a negative number, any password will be required to
contain that many uppercase characters. When set to a positive number, pam_pwquality will grant +1 additional
length credit for each uppercase character. Modify the ucredit setting in
/etc/security/pwquality.conf to require the use of an uppercase character in passwords. |
| Rationale | Use of a complex password helps to increase the time and resources required to compromise the password.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts
at guessing and brute-force attacks.
Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. |
check the configuration of /etc/pam.d/system-auth oval:ssg-test_password_pam_pwquality:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/pam.d/system-auth | password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= |
check the configuration of /etc/security/pwquality.conf oval:ssg-test_password_pam_pwquality_ucredit:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_ucredit:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| ^/etc/security/pwquality\.conf(\.d/[^/]+\.conf)?$ | ^\s*ucredit[\s]*=[\s]*(-?\d+)(?:[\s]|$) | 1 |
check the configuration of /etc/pam.d/system-auth doens't override pwquality.conf oval:ssg-test_password_pam_pwquality_ucredit_not_overwritten:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_ucredit_not_overwritten:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/pam.d/system-auth | ^\s*password.*pam_pwquality\.so.*\bucredit\b | 1 |
Set Password Hashing Algorithm in /etc/login.defs
| Rule ID | xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-set_password_hashing_algorithm_logindefs:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R32), 1, 12, 15, 16, 5, 5.6.2.2, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.13.11, CCI-000196, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0418, 1055, 1402, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(c), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.1, 8.3.2, SRG-OS-000073-GPOS-00041, OL08-00-010110, SV-248533r877397_rule |
| Description | In /etc/login.defs, add or correct the following line to ensure
the system will use SHA512 as the hashing algorithm:
ENCRYPT_METHOD SHA512 |
| Rationale | Passwords need to be protected at all times, and encryption is the standard method for protecting passwords.
If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords
that are encrypted with a weak algorithm are no more protected than if they are kept in plain text.
Using a stronger hashing algorithm makes password cracking attacks more difficult. |
The value of ENCRYPT_METHOD should be set appropriately in /etc/login.defs oval:ssg-test_etc_login_defs_encrypt_method:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-variable_last_encrypt_method_instance_value:var:1 | SHA512 |
Set PAM''s Password Hashing Algorithm - password-auth
| Rule ID | xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_passwordauth |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-set_password_hashing_algorithm_passwordauth:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R32), 1, 12, 15, 16, 5, 5.6.2.2, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.13.11, CCI-000196, CCI-000803, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0418, 1055, 1402, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(c), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.1, SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061, OL08-00-010160, SV-248544r818611_rule |
| Description | The PAM system service can be configured to only store encrypted
representations of passwords. In
/etc/pam.d/password-auth,
the
password section of the file controls which PAM modules execute
during a password change. Set the pam_unix.so module in the
password section to include the argument sha512, as shown
below:
password sufficient pam_unix.so sha512 other arguments... This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default. |
| Rationale | Passwords need to be protected at all times, and encryption is the standard
method for protecting passwords. If passwords are not encrypted, they can
be plainly read (i.e., clear text) and easily compromised. Passwords that
are encrypted with a weak algorithm are no more protected than if they are
kepy in plain text.
This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the crypt_style configuration option ensures the use
of a strong hashing algorithm that makes password cracking attacks more
difficult. |
check /etc/pam.d/password-auth for correct settings oval:ssg-test_pam_unix_passwordauth_sha512:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/pam.d/password-auth | password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow |
Set PAM''s Password Hashing Algorithm
| Rule ID | xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-set_password_hashing_algorithm_systemauth:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R32), 1, 12, 15, 16, 5, 5.6.2.2, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.13.11, CCI-000196, CCI-000803, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0418, 1055, 1402, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(c), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.1, 8.3.2, SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061, OL08-00-010159, SV-248543r818608_rule |
| Description | The PAM system service can be configured to only store encrypted
representations of passwords. In "/etc/pam.d/system-auth", the
password section of the file controls which PAM modules execute
during a password change. Set the pam_unix.so module in the
password section to include the argument sha512, as shown
below:
password sufficient pam_unix.so sha512 other arguments... This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default. |
| Rationale | Passwords need to be protected at all times, and encryption is the standard
method for protecting passwords. If passwords are not encrypted, they can
be plainly read (i.e., clear text) and easily compromised. Passwords that
are encrypted with a weak algorithm are no more protected than if they are
kepy in plain text.
This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the crypt_style configuration option ensures the use
of a strong hashing algorithm that makes password cracking attacks more
difficult. |
check /etc/pam.d/system-auth for correct settings oval:ssg-test_pam_unix_sha512:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/pam.d/system-auth | password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow |
Set Password Hashing Rounds in /etc/login.defs
| Rule ID | xccdf_org.ssgproject.content_rule_set_password_hashing_min_rounds_logindefs |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-set_password_hashing_min_rounds_logindefs:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R68), CCI-000196, CCI-000803, SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061, OL08-00-010130, SV-248535r880546_rule |
| Description | In /etc/login.defs, ensure SHA_CRYPT_MIN_ROUNDS and
SHA_CRYPT_MAX_ROUNDS has the minimum value of 5000.
For example:
SHA_CRYPT_MIN_ROUNDS 5000 SHA_CRYPT_MAX_ROUNDS 5000Notice that if neither are set, they already have the default value of 5000. If either is set, they must have the minimum value of 5000. |
| Rationale | Passwords need to be protected at all times, and encryption is the standard
method for protecting passwords. If passwords are not encrypted, they can
be plainly read (i.e., clear text) and easily compromised. Passwords
that are encrypted with a weak algorithm are no more protected than if
they are kept in plain text.
Using more hashing rounds makes password cracking attacks more difficult. |
SHA_CRYPT_MIN_ROUNDS is not explicitly configured in /etc/login.defs and therefore takes on the default value oval:ssg-test_etc_login_defs_sha_crypt_min_rounds_default:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_etc_login_defs_sha_crypt_min_rounds_default:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/login.defs | ^\s*SHA_CRYPT_MIN_ROUNDS\s* | 1 |
SHA_CRYPT_MIN_ROUNDS is explicitly configured in /etc/login.defs and its value most be greater or equal to 5000 oval:ssg-test_etc_login_defs_sha_crypt_min_rounds_present:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_etc_login_defs_sha_crypt_min_rounds_present:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/login.defs | ^\s*SHA_CRYPT_MIN_ROUNDS\s+(\d+)\s*$ | 1 |
SHA_CRYPT_MAX_ROUNDS is not explicitly configured in /etc/login.defs and therefore takes on the default value oval:ssg-test_etc_login_defs_sha_crypt_max_rounds_default:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_etc_login_defs_sha_crypt_max_rounds_default:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/login.defs | ^\s*SHA_CRYPT_MAX_ROUNDS\s* | 1 |
SHA_CRYPT_MIN_ROUNDS is not explicitly configured in /etc/login.defs and therefore takes on the default value oval:ssg-test_etc_login_defs_sha_crypt_min_rounds_default:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_etc_login_defs_sha_crypt_min_rounds_default:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/login.defs | ^\s*SHA_CRYPT_MIN_ROUNDS\s* | 1 |
SHA_CRYPT_MAX_ROUNDS is explicitly configured in /etc/login.defs and its value most be greater or equal to 5000 oval:ssg-test_etc_login_defs_sha_crypt_max_rounds_present:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_etc_login_defs_sha_crypt_max_rounds_present:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/login.defs | ^\s*SHA_CRYPT_MAX_ROUNDS\s+(\d+)\s*$ | 1 |
Disallow Configuration to Bypass Password Requirements for Privilege Escalation
| Rule ID | xccdf_org.ssgproject.content_rule_disallow_bypass_password_sudo |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-disallow_bypass_password_sudo:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-002038, IA-11, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, OL08-00-010385, SV-252656r854184_rule |
| Description | Verify the operating system is not configured to bypass password requirements for privilege
escalation. Check the configuration of the "/etc/pam.d/sudo" file with the following command:
$ sudo grep pam_succeed_if /etc/pam.d/sudoIf any occurrences of "pam_succeed_if" is returned from the command, this is a finding. |
| Rationale | Without re-authentication, users may access resources or perform tasks for which they do not
have authorization. When operating systems provide the capability to escalate a functional
capability, it is critical the user re-authenticate. |
Check absence of conf pam_succeed_if in /etc/pam.d/sudo oval:ssg-test_disallow_bypass_password_sudo:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_disallow_bypass_password_sudo:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/pam.d/sudo | ^.*pam_succeed_if.*$ | 1 |
Ensure PAM Displays Last Logon/Access Notification
| Rule ID | xccdf_org.ssgproject.content_rule_display_login_attempts |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-display_login_attempts:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | low |
| Identifiers and References | References: 1, 12, 15, 16, 5.5.2, DSS05.04, DSS05.10, DSS06.10, CCI-000052, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0582, 0584, 05885, 0586, 0846, 0957, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-9, AC-9(1), PR.AC-7, Req-10.2.4, 10.2.1.4, SRG-OS-000480-GPOS-00227, OL08-00-020340, SV-248717r858591_rule |
| Description | To configure the system to notify users of last logon/access
using pam_lastlog, add or correct the pam_lastlog
settings in
/etc/pam.d/postlogin to read as follows:
session required pam_lastlog.so showfailedAnd make sure that the silent option is not set for
pam_lastlog module. |
| Rationale | Users need to be aware of activity that occurs regarding
their account. Providing users with information regarding the number
of unsuccessful attempts that were made to login to their account
allows the user to determine if any unauthorized activity has occurred
and gives them an opportunity to notify administrators. |
Check the pam_lastlog configuration oval:ssg-test_display_login_attempts:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_display_login_attempts:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/pam.d/postlogin | ^\s*session\s+required\s+pam_lastlog\.so(?:\s+[\w=]+)*\s+showfailed(\s|$) | 1 |
Forbid 'silent' option for pam_lastlog oval:ssg-test_display_login_attempts_silent:tst:1 false
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/pam.d/postlogin | session optional pam_lastlog.so silent |
Install the tmux Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_tmux_installed |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.10, CCI-000058, CCI-000056, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), PR.AC-7, FMT_SMF_EXT.1, FMT_MOF_EXT.1, FTA_SSL.1, SRG-OS-000030-GPOS-00011, SRG-OS-000028-GPOS-00009, OL08-00-020039, SV-248674r779588_rule |
| Description | To enable console screen locking, install the tmux package.
A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
The session lock is implemented at the point where session activity can be determined.
Rather than be forced to wait for a period of time to expire before the user session can be locked, Oracle Linux 8 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity.
Instruct users to begin new terminal sessions with the following command:
$ tmuxThe console can now be locked with the following key combination: ctrl+b :lock-session |
| Rationale | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate
physical vicinity of the information system but does not logout because of the temporary nature of the absence.
Rather than relying on the user to manually lock their operation system session prior to vacating the vicinity,
operating systems need to be able to identify when a user's session has idled and take action to initiate the
session lock.
The tmux package allows for a session lock to be implemented and configured. |
Support session locking with tmux (not enforcing)
| Rule ID | xccdf_org.ssgproject.content_rule_configure_bashrc_tmux |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000056, CCI-000058, SRG-OS-000031-GPOS-00012, SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011, OL08-00-020041, SV-248676r917911_rule |
| Description | The tmux terminal multiplexer is used to implement
automatic session locking. It should be started from
/etc/bashrc or drop-in files within /etc/profile.d/. |
| Rationale | Unlike bash itself, the tmux terminal multiplexer
provides a mechanism to lock sessions after period of inactivity.
A session lock is a temporary action taken when a user stops work and moves away from the
immediate physical vicinity of the information system but does not want to
log out because of the temporary nature of the absence. |
| Warnings | warning
This rule configures Tmux to be executed in a way that exiting Tmux
drops the user into a regular shell instead of logging them out, therefore the session locking mechanism is not enforced on the user. |
Configure tmux to lock session after inactivity
| Rule ID | xccdf_org.ssgproject.content_rule_configure_tmux_lock_after_time |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000057, CCI-000060, FMT_SMF_EXT.1, FMT_MOF_EXT.1, FTA_SSL.1, SRG-OS-000029-GPOS-00010, SRG-OS-000031-GPOS-00012, OL08-00-020070, SV-248681r779609_rule |
| Description | To enable console screen locking in tmux terminal multiplexer
after a period of inactivity,
the lock-after-time option has to be set to a value greater than 0 and less than
or equal to 900 in /etc/tmux.conf. |
| Rationale | Locking the session after a period of inactivity limits the
potential exposure if the session is left unattended. |
Configure the tmux Lock Command
| Rule ID | xccdf_org.ssgproject.content_rule_configure_tmux_lock_command |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000056, CCI-000058, AC-11(a), AC-11(b), CM-6(a), FMT_SMF_EXT.1, FMT_MOF_EXT.1, FTA_SSL.1, SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011, OL08-00-020040, SV-248675r902786_rule |
| Description | To enable console screen locking in tmux terminal multiplexer,
the vlock command must be configured to be used as a locking
mechanism.
Add the following line to /etc/tmux.conf:
set -g lock-command vlock. The console can now be locked with the following key combination: ctrl+b :lock-session |
| Rationale | The tmux package allows for a session lock to be implemented and configured.
However, the session lock is implemented by an external command. The tmux
default configuration does not contain an effective session lock. |
Configure the tmux lock session key binding
| Rule ID | xccdf_org.ssgproject.content_rule_configure_tmux_lock_keybinding |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | low |
| Identifiers and References | References: CCI-000056, SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011, OL08-00-020040, SV-248675r902786_rule |
| Description | To set a key binding for the screen locking in tmux terminal multiplexer,
the session-lock command must be bound to a key.
Add the following line to /etc/tmux.conf:
bind X lock-session. The console can now be locked with the following key combination: Ctrl+b Shift+x |
| Rationale | The tmux package allows for a session lock to be implemented and configured.
However, the session lock is implemented by an external command. The tmux
default configuration does not contain an effective session lock. |
Prevent user from disabling the screen lock
| Rule ID | xccdf_org.ssgproject.content_rule_no_tmux_in_shells |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | low |
| Identifiers and References | References: CCI-000056, CCI-000058, CM-6, FMT_SMF_EXT.1, FMT_MOF_EXT.1, FTA_SSL.1, SRG-OS-000324-GPOS-00125, SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011, OL08-00-020042, SV-248677r779597_rule |
| Description | The tmux terminal multiplexer is used to implement
automatic session locking. It should not be listed in
/etc/shells. |
| Rationale | Not listing tmux among permitted shells
prevents malicious program running as user
from lowering security by disabling the screen lock. |
Check that vlock is installed to allow session locking
| Rule ID | xccdf_org.ssgproject.content_rule_vlock_installed |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000056, CCI-000058, CCI-000060, SRG-OS-000028-GPOS-00009, SRG-OS-000030-GPOS-00011, OL08-00-020043, SV-248678r779600_rule |
| Description | The Oracle Linux 8 operating system must have vlock installed to allow for session locking.
The kbd package can be installed with the following command:
$ sudo yum install kbd |
| Rationale | A session lock is a temporary action taken when a user stops work and
moves away from the immediate physical vicinity of the information
system but does not want to log out because of the temporary nature of
the absence.
The session lock is implemented at the point where session activity can
be determined.
Regardless of where the session lock is determined and implemented,
once invoked, the session lock must remain in place until the user
reauthenticates. No other activity aside from reauthentication must
unlock the system. |
Install the opensc Package For Multifactor Authentication
| Rule ID | xccdf_org.ssgproject.content_rule_package_opensc_installed |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-001954, CCI-001953, 1382, 1384, 1386, CM-6(a), SRG-OS-000375-GPOS-00160, SRG-OS-000376-GPOS-00161, OL08-00-010410, SV-248588r853769_rule |
| Description |
The opensc package can be installed with the following command:
$ sudo yum install opensc |
| Rationale | Using an authentication device, such as a CAC or token that is separate from
the information system, ensures that even if the information system is
compromised, that compromise will not affect credentials stored on the
authentication device.
Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card. |
Install Smart Card Packages For Multifactor Authentication
| Rule ID | xccdf_org.ssgproject.content_rule_install_smartcard_packages |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | low |
| Identifiers and References | References: CCI-000765, CCI-001948, CCI-001953, CCI-001954, CM-6(a), Req-8.3, 8.4, SRG-OS-000105-GPOS-00052, SRG-OS-000375-GPOS-00160, SRG-OS-000375-GPOS-00161, SRG-OS-000377-GPOS-00162, OL08-00-010390, SV-248586r853767_rule |
| Description | Configure the operating system to implement multifactor authentication by
installing the required package with the following command:
The openssl-pkcs11 package can be installed with the following command:
$ sudo yum install openssl-pkcs11 |
| Rationale | Using an authentication device, such as a CAC or token that is separate from
the information system, ensures that even if the information system is
compromised, that compromise will not affect credentials stored on the
authentication device.
Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card. |
Disable debug-shell SystemD Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_debug-shell_disabled |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | low |
| Identifiers and References | References: 3.4.5, CCI-000366, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), CM-6, FIA_UAU.1, SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227, OL08-00-040180, SV-248872r780182_rule |
| Description | SystemD's debug-shell service is intended to
diagnose SystemD related boot issues with various systemctl
commands. Once enabled and following a system reboot, the root shell
will be available on tty9 which is access by pressing
CTRL-ALT-F9. The debug-shell service should only be used
for SystemD related issues and should otherwise be disabled.
By default, the debug-shell SystemD service is already disabled.
The debug-shell service can be disabled with the following command:
$ sudo systemctl mask --now debug-shell.service |
| Rationale | This prevents attackers with physical access from trivially bypassing security
on the machine through valid troubleshooting configurations and gaining root
access when the system is rebooted. |
Disable Ctrl-Alt-Del Burst Action
| Rule ID | xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.4.5, CCI-000366, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), CM-6(a), PR.AC-4, PR.DS-5, FAU_GEN.1.2, SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227, OL08-00-040172, SV-248871r780179_rule |
| Description | By default, SystemD will reboot the system if the Ctrl-Alt-Del
key sequence is pressed Ctrl-Alt-Delete more than 7 times in 2 seconds.
To configure the system to ignore the CtrlAltDelBurstAction
setting, add or modify the following to /etc/systemd/system.conf:
CtrlAltDelBurstAction=none |
| Rationale | A locally logged-in user who presses Ctrl-Alt-Del, when at the console,
can reboot the system. If accidentally pressed, as could happen in
the case of mixed OS environment, this can create the risk of short-term
loss of availability of systems due to unintentional reboot. |
| Warnings | warning
Disabling the Ctrl-Alt-Del key sequence
in /etc/init/control-alt-delete.conf DOES NOT disable the Ctrl-Alt-Del
key sequence if running in runlevel 6 (e.g. in GNOME, KDE, etc.)! The
Ctrl-Alt-Del key sequence will only be disabled if running in
the non-graphical runlevel 3. |
Disable Ctrl-Alt-Del Reboot Activation
| Rule ID | xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | high |
| Identifiers and References | References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.4.5, CCI-000366, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, FAU_GEN.1.2, SRG-OS-000324-GPOS-00125, SRG-OS-000480-GPOS-00227, OL08-00-040170, SV-248869r833246_rule |
| Description | By default, SystemD will reboot the system if the Ctrl-Alt-Del
key sequence is pressed.
To configure the system to ignore the Ctrl-Alt-Del key sequence from the
command line instead of rebooting the system, do either of the following:
ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.targetor systemctl mask ctrl-alt-del.target Do not simply delete the /usr/lib/systemd/system/ctrl-alt-del.service file,
as this file may be restored during future system updates. |
| Rationale | A locally logged-in user who presses Ctrl-Alt-Del, when at the console,
can reboot the system. If accidentally pressed, as could happen in
the case of mixed OS environment, this can create the risk of short-term
loss of availability of systems due to unintentional reboot. |
Configure Logind to terminate idle sessions after certain time of inactivity
| Rule ID | xccdf_org.ssgproject.content_rule_logind_session_timeout |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R29), 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, 5.5.6, APO13.01, BAI03.01, BAI03.02, BAI03.03, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.1.11, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.14.1.1, A.14.2.1, A.14.2.5, A.18.1.4, A.6.1.2, A.6.1.5, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.3, CIP-007-3 R5.1, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, CM-6(a), AC-17(a), AC-2(5), AC-12, AC-17(a), SC-10, CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.IP-2, FMT_SMF_EXT.1.1, Req-8.1.8, SRG-OS-000163-GPOS-00072, OL08-00-020035, SV-257259r917919_rule |
| Description | To configure logind service to terminate inactive user sessions
after 900 seconds, edit the file
/etc/systemd/logind.conf. Ensure that there is a section
[Login]which contains the configuration StopIdleSessionSec=900. |
| Rationale | Terminating an idle session within a short time period reduces the window of
opportunity for unauthorized personnel to take control of a management
session enabled on the console or console port that has been let unattended. |
Require Authentication for Emergency Systemd Target
| Rule ID | xccdf_org.ssgproject.content_rule_require_emergency_target_auth |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: 1, 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, 3.1.1, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, IA-2, AC-3, CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3, FIA_UAU.1, SRG-OS-000080-GPOS-00048, OL08-00-010152, SV-248542r779192_rule |
| Description | Emergency mode is intended as a system recovery
method, providing a single user root access to the system
during a failed boot sequence.
By default, Emergency mode is protected by requiring a password and is set in /usr/lib/systemd/system/emergency.service. |
| Rationale | This prevents attackers with physical access from trivially bypassing security
on the machine and gaining root access. Such accesses are further prevented
by configuring the bootloader password. |
Require Authentication for Single User Mode
Set Account Expiration Following Inactivity in password-auth
| Rule ID | xccdf_org.ssgproject.content_rule_account_disable_inactivity_password_auth |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-account_disable_inactivity_password_auth:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000795, IA-4(e), SRG-OS-000118-GPOS-00060, OL08-00-020261, SV-248704r779678_rule |
| Description | Verify the account identifiers (individuals, groups, roles, and devices) are disabled after
35 or less days of inactivity by
checking the account inactivity value with the following command:
grep 'inactive\|pam_unix' /etc/pam.d/password-auth | grep -w auth auth required pam_lastlog.so inactive=35 auth sufficient pam_unix.soThe line with the inactive parameter should be placed before pam_unix.so module as in
the example output. |
| Rationale | Inactive identifiers pose a risk to systems and applications because attackers may exploit an
inactive identifier and potentially obtain undetected access to the system. Owners of inactive
accounts will not notice if unauthorized access to their user account has been obtained. |
| Warnings | warning
If the system relies on authselect tool to manage PAM settings, the remediation
will also use authselect tool. However, if any manual modification was made in
PAM files, the authselect integrity check will fail and the remediation will be
aborted in order to preserve intentional changes. In this case, an informative message will
be shown in the remediation report. |
the value for the inactive parameter should be set appropriately in /etc/pam.d/password-auth oval:ssg-test_password_auth_inactive:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_password_auth_inactive:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/pam.d/password-auth | ^auth\s*(?:required|requisite)\s*pam_lastlog\.so[^#]*inactive=(\d+)[\s\S]*^\s*auth\s*sufficient\s*pam_unix\.so | 1 |
Set Account Expiration Following Inactivity in system-auth
| Rule ID | xccdf_org.ssgproject.content_rule_account_disable_inactivity_system_auth |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-account_disable_inactivity_system_auth:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000795, IA-4(e), SRG-OS-000118-GPOS-00060, OL08-00-020260, SV-248703r779675_rule |
| Description | Verify the account identifiers (individuals, groups, roles, and devices) are disabled after
35 or less days of inactivity by
checking the account inactivity value with the following command:
grep 'inactive\|pam_unix' /etc/pam.d/password-auth | grep -w auth auth required pam_lastlog.so inactive=35 auth sufficient pam_unix.soThe line with the inactive parameter should be placed before pam_unix.so module as in
the example output. |
| Rationale | Inactive identifiers pose a risk to systems and applications because attackers may exploit an
inactive identifier and potentially obtain undetected access to the system. Owners of inactive
accounts will not notice if unauthorized access to their user account has been obtained. |
| Warnings | warning
If the system relies on authselect tool to manage PAM settings, the remediation
will also use authselect tool. However, if any manual modification was made in
PAM files, the authselect integrity check will fail and the remediation will be
aborted in order to preserve intentional changes. In this case, an informative message will
be shown in the remediation report. |
the value for the inactive parameter should be set appropriately in /etc/pam.d/system-auth oval:ssg-test_system_auth_inactive:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_system_auth_inactive:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/pam.d/system-auth | ^auth\s*(?:required|requisite)\s*pam_lastlog\.so[^#]*inactive=(\d+)[\s\S]*^\s*auth\s*sufficient\s*pam_unix\.so | 1 |
Set Account Expiration Following Inactivity
| Rule ID | xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-account_disable_post_pw_expiration:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, 5.6.2.1.1, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.6, CCI-000017, CCI-000795, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, IA-4(e), AC-2(3), CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, Req-8.1.4, 8.2.6, SRG-OS-000118-GPOS-00060, OL08-00-020260, SV-248703r779675_rule |
| Description | To specify the number of days after a password expires (which
signifies inactivity) until an account is permanently disabled, add or correct
the following line in /etc/default/useradd:
INACTIVE=35If a password is currently on the verge of expiration, then 35
day(s) remain(s) until the account is automatically
disabled. However, if the password will not expire for another 60 days, then 60
days plus 35 day(s) could
elapse until the account would be automatically disabled. See the
useradd man page for more information. |
| Rationale | Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system.
Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials.
Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained. |
the value INACTIVE parameter should be set appropriately in /etc/default/useradd oval:ssg-test_etc_default_useradd_inactive:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_etc_default_useradd_inactive:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/default/useradd | ^\s*INACTIVE\s*=\s*(\d+)\s*$ | 1 |
Assign Expiration Date to Emergency Accounts
| Rule ID | xccdf_org.ssgproject.content_rule_account_emergency_expire_date |
| Result | notchecked |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS06.03, CCI-000016, CCI-001682, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, AC-2(2), AC-2(3), CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, SRG-OS-000123-GPOS-00064, SRG-OS-000002-GPOS-00002, OL08-00-020270, SV-248708r902791_rule |
| Description | Emergency accounts are privileged accounts established in response to
crisis situations where the need for rapid account activation is required.
In the event emergency accounts are required, configure the system to
terminate them after a documented time period. For every emergency account,
run the following command to set an expiration date on it, substituting
ACCOUNT_NAME and YYYY-MM-DD
appropriately:
$ sudo chage -E YYYY-MM-DD ACCOUNT_NAME YYYY-MM-DD indicates the documented expiration date for the
account. For U.S. Government systems, the operating system must be
configured to automatically terminate these types of accounts after a
period of 72 hours. |
| Rationale | If emergency user accounts remain active when no longer needed or for
an excessive period, these accounts may be used to gain unauthorized access.
To mitigate this risk, automated termination of all emergency accounts
must be set upon account creation.
|
| Warnings | warning
Due to the unique requirements of each system, automated
remediation is not available for this configuration check. warning
This rule is deprecated in favor of the account_temp_expire_date rule.
Please consider replacing this rule in your files as it is not expected to receive
updates as of version 0.1.69. |
Assign Expiration Date to Temporary Accounts
| Rule ID | xccdf_org.ssgproject.content_rule_account_temp_expire_date |
| Result | notchecked |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS06.03, CCI-000016, CCI-001682, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, AC-2(2), AC-2(3), CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, SRG-OS-000123-GPOS-00064, SRG-OS-000002-GPOS-00002, OL08-00-020000, SV-248651r779519_rule |
| Description | Temporary accounts are established as part of normal account activation
procedures when there is a need for short-term accounts. In the event
temporary accounts are required, configure the system to
terminate them after a documented time period. For every temporary account, run the following command to set an expiration date on
it, substituting USER and YYYY-MM-DD
appropriately:
$ sudo chage -E YYYY-MM-DD USER YYYY-MM-DD indicates the documented expiration date for the
account. For U.S. Government systems, the operating system must be
configured to automatically terminate these types of accounts after a
period of 72 hours. |
| Rationale | If temporary user accounts remain active when no longer needed or for
an excessive period, these accounts may be used to gain unauthorized access.
To mitigate this risk, automated termination of all temporary accounts
must be set upon account creation.
|
Set Password Maximum Age
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_maximum_age_login_defs:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R18), 1, 12, 15, 16, 5, 5.6.2.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.6, CCI-000199, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0418, 1055, 1402, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(f), IA-5(1)(d), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.4, 8.3.10.1, SRG-OS-000076-GPOS-00044, OL08-00-020200, SV-248696r779654_rule |
| Description | To specify password maximum age for new accounts,
edit the file /etc/login.defs
and add or correct the following line:
PASS_MAX_DAYS 60A value of 180 days is sufficient for many environments. The DoD requirement is 60. The profile requirement is 60. |
| Rationale | Any password, no matter how complex, can eventually be cracked. Therefore, passwords
need to be changed periodically. If the operating system does not limit the lifetime
of passwords and force users to change their passwords, there is the risk that the
operating system passwords could be compromised.
Setting the password maximum age ensures users are required to periodically change their passwords. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise. |
The value of PASS_MAX_DAYS should be set appropriately in /etc/login.defs oval:ssg-test_pass_max_days:tst:1 false
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-variable_last_pass_max_days_instance_value:var:1 | 99999 |
Set Password Minimum Age
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_minimum_age_login_defs:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: 1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.8, CCI-000198, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0418, 1055, 1402, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(f), IA-5(1)(d), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, 8.3.9, SRG-OS-000075-GPOS-00043, OL08-00-020190, SV-248695r858592_rule |
| Description | To specify password minimum age for new accounts,
edit the file /etc/login.defs
and add or correct the following line:
PASS_MIN_DAYS 1A value of 1 day is considered sufficient for many environments. The DoD requirement is 1. The profile requirement is 1. |
| Rationale | Enforcing a minimum password lifetime helps to prevent repeated password
changes to defeat the password reuse or history enforcement requirement. If
users are allowed to immediately and continually change their password,
then the password could be repeatedly changed in a short period of time to
defeat the organization's policy regarding password reuse.
Setting the minimum password age protects against users cycling back to a favorite password after satisfying the password reuse requirement. |
The value of PASS_MIN_DAYS should be set appropriately in /etc/login.defs oval:ssg-test_pass_min_days:tst:1 false
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-variable_last_pass_min_days_instance_value:var:1 | 0 |
Set Password Minimum Length in login.defs
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_minlen_login_defs:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R18), 1, 12, 15, 16, 5, 5.6.2.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.7, CCI-000205, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(f), IA-5(1)(a), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000078-GPOS-00046, OL08-00-020231, SV-248700r779666_rule |
| Description | To specify password length requirements for new accounts, edit the file
/etc/login.defs and add or correct the following line:
PASS_MIN_LEN 15 The DoD requirement is 15.
The FISMA requirement is 12.
The profile requirement is
15.
If a program consults /etc/login.defs and also another PAM module
(such as pam_pwquality) during a password change operation, then
the most restrictive must be satisfied. See PAM section for more
information about enforcing password quality requirements. |
| Rationale | Requiring a minimum password length makes password
cracking attacks more difficult by ensuring a larger
search space. However, any security benefit from an onerous requirement
must be carefully weighed against usability problems, support costs, or counterproductive
behavior that may result. |
The value of PASS_MIN_LEN should be set appropriately in /etc/login.defs oval:ssg-test_pass_min_len:tst:1 false
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-variable_last_pass_min_len_instance_value:var:1 | 5 |
Set Existing Passwords Maximum Age
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_set_max_life_existing:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000199, IA-5(f), IA-5(1)(d), CM-6(a), SRG-OS-000076-GPOS-00044, OL08-00-020210, SV-248697r779657_rule |
| Description | Configure non-compliant accounts to enforce a 60-day maximum password lifetime
restriction by running the following command:
$ sudo chage -M 60 USER |
| Rationale | Any password, no matter how complex, can eventually be cracked. Therefore,
passwords need to be changed periodically. If the operating system does
not limit the lifetime of passwords and force users to change their
passwords, there is the risk that the operating system passwords could be
compromised. |
Compares a specific field in /etc/shadow with a specific variable value oval:ssg-test_accounts_password_set_max_life_existing_password_max_life_existing:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_test_accounts_password_set_max_life_existing_password_max_life_existing:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/shadow | ^(?:[^:]*:)(?:[^\!\*:]*:)(?:[^:]*:){2}(\d+):(?:[^:]*:){3}(?:[^:]*)$ | 1 |
Compares a specific field in /etc/shadow with a specific variable value oval:ssg-test_accounts_password_set_max_life_existing_password_max_life_existing_minimum:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_test_accounts_password_set_max_life_existing_password_max_life_existing_minimum:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/shadow | ^(?:[^:]*:)(?:[^\!\*:]*:)(?:[^:]*:){2}(\d+):(?:[^:]*:){3}(?:[^:]*)$ | 1 |
Passwords must have the maximum password age set non-empty in /etc/shadow. oval:ssg-test_accounts_password_set_max_life_existing_password_max_life_not_empty:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_password_set_max_life_existing_shadow_password_users_max_life_not_existing:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/shadow | ^(?:[^:]*:)(?:[^\!\*:]+:)(?:[^:]*:){2}():(?:[^:]*:){3}(?:[^:]*)$ | 1 |
Set Existing Passwords Minimum Age
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_set_min_life_existing:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000198, IA-5(f), IA-5(1)(d), CM-6(a), SRG-OS-000075-GPOS-00043, OL08-00-020180, SV-248694r779648_rule |
| Description | Configure non-compliant accounts to enforce a 24 hours/1 day minimum password
lifetime by running the following command:
$ sudo chage -m 1 USER |
| Rationale | Enforcing a minimum password lifetime helps to prevent repeated password
changes to defeat the password reuse or history enforcement requirement. If
users are allowed to immediately and continually change their password, the
password could be repeatedly changed in a short period of time to defeat the
organization's policy regarding password reuse. |
Compares a specific field in /etc/shadow with a specific variable value oval:ssg-test_accounts_password_set_min_life_existing_password_max_life_existing:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_test_accounts_password_set_min_life_existing_password_max_life_existing:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/shadow | ^(?:[^:]*:)(?:[^\!\*:]*:)(?:[^:]*:)(\d+):(?:[^:]*:){4}(?:[^:]*)$ | 1 |
Compares a specific field in /etc/shadow with a specific variable value oval:ssg-test_accounts_password_set_min_life_existing_password_max_life_existing_minimum:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_test_accounts_password_set_min_life_existing_password_max_life_existing_minimum:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/shadow | ^(?:[^:]*:)(?:[^\!\*:]*:)(?:[^:]*:)(\d+):(?:[^:]*:){4}(?:[^:]*)$ | 1 |
Passwords must have the maximum password age set non-empty in /etc/shadow. oval:ssg-test_accounts_password_set_min_life_existing_password_max_life_not_empty:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_password_set_min_life_existing_shadow_password_users_max_life_not_existing:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/shadow | ^(?:[^:]*:)(?:[^\!\*:]+:)(?:[^:]*:)():(?:[^:]*:){4}(?:[^:]*)$ | 1 |
Verify All Account Password Hashes are Shadowed with SHA512
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed_sha512 |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_password_all_shadowed_sha512:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000196, CCI-000803, IA-5(1)(c), IA-5(1).1(v), IA-7, IA-7.1, SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061, OL08-00-010120, SV-248534r877397_rule |
| Description | Verify the operating system requires the shadow password suite
configuration be set to encrypt interactive user passwords using a strong
cryptographic hash.
Check that the interactive user account passwords are using a strong
password hash with the following command:
$ sudo cut -d: -f2 /etc/shadow $6$kcOnRq/5$NUEYPuyL.wghQwWssXRcLRFiiru7f5JPV6GaJhNC2aK5F3PZpE/BCCtwrxRc/AInKMNX3CdMw11m9STiql12f/Password hashes ! or * indicate inactive accounts not
available for logon and are not evaluated.
If any interactive user password hash does not begin with $6,
this is a finding. |
| Rationale | Passwords need to be protected at all times, and encryption is the standard method for
protecting passwords. If passwords are not encrypted, they can be plainly read
(i.e., clear text) and easily compromised. |
password hashes are shadowed using sha512 oval:ssg-test_accounts_password_all_shadowed_sha512:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_password_all_shadowed_sha512:obj:1 of type shadow_object
| Username | Filter | Filter | Filter |
|---|---|---|---|
| .* | oval:ssg-state_accounts_password_all_shadowed_has_no_password:ste:1 | oval:ssg-state_accounts_password_all_shadowed_has_locked_password:ste:1 | oval:ssg-state_accounts_password_all_shadowed_sha512:ste:1 |
Prevent Login to Accounts With Empty Password
| Rule ID | xccdf_org.ssgproject.content_rule_no_empty_passwords |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | high |
| Identifiers and References | References: 1, 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2, APO01.06, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.10, 3.1.1, 3.1.5, CCI-000366, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, IA-5(1)(a), IA-5(c), CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, FIA_UAU.1, Req-8.2.3, 8.3.6, 8.3.9, SRG-OS-000480-GPOS-00227, OL08-00-020331, SV-248715r779711_rule |
| Description | If an account is configured for password authentication
but does not have an assigned password, it may be possible to log
into the account without authentication. Remove any instances of the
nullok in
/etc/pam.d/system-auth and
/etc/pam.d/password-auth
to prevent logins with empty passwords. |
| Rationale | If an account has an empty password, anyone could log in and
run commands with the privileges of that account. Accounts with
empty passwords should never be used in operational environments. |
| Warnings | warning
If the system relies on authselect tool to manage PAM settings, the remediation
will also use authselect tool. However, if any manual modification was made in
PAM files, the authselect integrity check will fail and the remediation will be
aborted in order to preserve intentional changes. In this case, an informative message will
be shown in the remediation report.
Note that this rule is not applicable for systems running within a
container. Having user with empty password within a container is not
considered a risk, because it should not be possible to directly login into
a container anyway. |
Ensure There Are No Accounts With Blank or Null Passwords
| Rule ID | xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | high |
| Identifiers and References | References: CCI-000366, CM-6(b), CM-6.1(iv), SRG-OS-000480-GPOS-00227, OL08-00-010121, SV-252650r818746_rule |
| Description | Check the "/etc/shadow" file for blank passwords with the
following command:
$ sudo awk -F: '!$2 {print $1}' /etc/shadow
If the command returns any results, this is a finding.
Configure all accounts on the system to have a password or lock
the account with the following commands:
Perform a password reset:
$ sudo passwd [username]Lock an account: $ sudo passwd -l [username] |
| Rationale | If an account has an empty password, anyone could log in and
run commands with the privileges of that account. Accounts with
empty passwords should never be used in operational environments. |
| Warnings | warning
Note that this rule is not applicable for systems running within a container. Having user with empty password within a container is not considered a risk, because it should not be possible to directly login into a container anyway. |
Verify Only Root Has UID 0
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_no_uid_except_zero:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | high |
| Identifiers and References | References: 1, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.10, 3.1.1, 3.1.5, CCI-000366, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, IA-2, AC-6(5), IA-4(b), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, Req-8.5, 8.2.2, 8.2.3, SRG-OS-000480-GPOS-00227, OL08-00-040200, SV-248874r780188_rule |
| Description | If any account other than root has a UID of 0, this misconfiguration should
be investigated and the accounts other than root should be removed or have
their UID changed.
If the account is associated with system commands or applications the UID should be changed to one greater than "0" but less than "1000." Otherwise assign a UID greater than "1000" that has not already been assigned. |
| Rationale | An account has root authority if it has a UID of 0. Multiple accounts
with a UID of 0 afford more opportunity for potential intruders to
guess a password for a privileged account. Proper configuration of
sudo is recommended to afford multiple system administrators
access to root privileges in an accountable manner. |
test that there are no accounts with UID 0 except root in the /etc/passwd file oval:ssg-test_accounts_no_uid_except_root:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_no_uid_except_root:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/passwd | ^(?!root:)[^:]*:[^:]*:0 | 1 |
Ensure All Accounts on the System Have Unique User IDs
| Rule ID | xccdf_org.ssgproject.content_rule_account_unique_id |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000135, CCI-000764, CCI-000804, Req-8.1.1, 8.2.1, SRG-OS-000104-GPOS-00051, SRG-OS-000121-GPOS-00062, SRG-OS-000042-GPOS-00020, OL08-00-020240, SV-248701r779669_rule |
| Description | Change user IDs (UIDs), or delete accounts, so each has a unique name. |
| Rationale | To assure accountability and prevent unauthenticated access, interactive users must be identified and authenticated to prevent potential misuse and compromise of the system. |
| Warnings | warning
Automatic remediation of this control is not available due to unique requirements of each
system. |
Ensure the Default Bash Umask is Set Correctly
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_umask_etc_bashrc:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R35), 18, APO13.01, BAI03.01, BAI03.02, BAI03.03, CCI-000366, 4.3.4.3.3, A.14.1.1, A.14.2.1, A.14.2.5, A.6.1.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-6(1), CM-6(a), PR.IP-2, 8.6.1, SRG-OS-000480-GPOS-00228, SRG-OS-000480-GPOS-00227, OL08-00-020353, SV-248721r818666_rule |
| Description | To ensure the default umask for users of the Bash shell is set properly,
add or correct the umask setting in /etc/bashrc to read
as follows:
umask 077 |
| Rationale | The umask value influences the permissions assigned to files when they are created.
A misconfigured umask value could result in files with excessive permissions that can be read or
written to by unauthorized users. |
Verify the existence of var_accounts_user_umask_as_number variable oval:ssg-test_existence_of_var_accounts_user_umask_as_number_variable:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-var_accounts_user_umask_umask_as_number:var:1 | 63 |
Test the retrieved /etc/bashrc umask value(s) match the var_accounts_user_umask requirement oval:ssg-tst_accounts_umask_etc_bashrc:tst:1 false
Following items have been found on the system:
| Var ref | Value | Value | Value | Value | Value | Value | Value | Value |
|---|---|---|---|---|---|---|---|---|
| oval:ssg-var_etc_bashrc_umask_as_number:var:1 | 18 | 18 | 2 | 2 | 18 | 18 | 2 | 2 |
Ensure the Default C Shell Umask is Set Correctly
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_umask_etc_csh_cshrc |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_umask_etc_csh_cshrc:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: 18, APO13.01, BAI03.01, BAI03.02, BAI03.03, CCI-000366, 4.3.4.3.3, A.14.1.1, A.14.2.1, A.14.2.5, A.6.1.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-6(1), CM-6(a), PR.IP-2, SRG-OS-000480-GPOS-00228, SRG-OS-000480-GPOS-00227, OL08-00-020353, SV-248721r818666_rule |
| Description | To ensure the default umask for users of the C shell is set properly,
add or correct the umask setting in /etc/csh.cshrc to read as follows:
umask 077 |
| Rationale | The umask value influences the permissions assigned to files when they are created.
A misconfigured umask value could result in files with excessive permissions that can be read or
written to by unauthorized users. |
Verify the existence of var_accounts_user_umask_as_number variable oval:ssg-test_existence_of_var_accounts_user_umask_as_number_variable:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-var_accounts_user_umask_umask_as_number:var:1 | 63 |
Test the retrieved /etc/csh.cshrc umask value(s) match the var_accounts_user_umask requirement oval:ssg-tst_accounts_umask_etc_csh_cshrc:tst:1 false
Following items have been found on the system:
| Var ref | Value | Value | Value | Value | Value | Value | Value | Value |
|---|---|---|---|---|---|---|---|---|
| oval:ssg-var_etc_csh_cshrc_umask_as_number:var:1 | 2 | 2 | 18 | 18 | 2 | 2 | 18 | 18 |
Ensure the Default Umask is Set Correctly in login.defs
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_umask_etc_login_defs:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R35), 11, 18, 3, 9, APO13.01, BAI03.01, BAI03.02, BAI03.03, BAI10.01, BAI10.02, BAI10.03, BAI10.05, CCI-000366, 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.1.1, A.14.2.1, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.5, A.6.1.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-6(1), CM-6(a), PR.IP-1, PR.IP-2, 8.6.1, SRG-OS-000480-GPOS-00228, OL08-00-020351, SV-248719r779723_rule |
| Description | To ensure the default umask controlled by /etc/login.defs is set properly,
add or correct the UMASK setting in /etc/login.defs to read as follows:
UMASK 077 |
| Rationale | The umask value influences the permissions assigned to files when they are created.
A misconfigured umask value could result in files with excessive permissions that can be read and
written to by unauthorized users. |
Verify the existence of var_accounts_user_umask_as_number variable oval:ssg-test_existence_of_var_accounts_user_umask_as_number_variable:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-var_accounts_user_umask_umask_as_number:var:1 | 63 |
Test the retrieved /etc/login.defs umask value(s) match the var_accounts_user_umask requirement oval:ssg-tst_accounts_umask_etc_login_defs:tst:1 false
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-var_etc_login_defs_umask_as_number:var:1 | 18 |
Ensure the Default Umask is Set Correctly in /etc/profile
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_umask_etc_profile:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R35), 18, APO13.01, BAI03.01, BAI03.02, BAI03.03, CCI-000366, 4.3.4.3.3, A.14.1.1, A.14.2.1, A.14.2.5, A.6.1.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-6(1), CM-6(a), PR.IP-2, 8.6.1, SRG-OS-000480-GPOS-00228, SRG-OS-000480-GPOS-00227, OL08-00-020353, SV-248721r818666_rule |
| Description | To ensure the default umask controlled by /etc/profile is set properly,
add or correct the umask setting in /etc/profile to read as follows:
umask 077Note that /etc/profile also reads scrips within /etc/profile.d directory.
These scripts are also valid files to set umask value. Therefore, they should also be
considered during the check and properly remediated, if necessary. |
| Rationale | The umask value influences the permissions assigned to files when they are created.
A misconfigured umask value could result in files with excessive permissions that can be read or
written to by unauthorized users. |
Verify the existence of var_accounts_user_umask_as_number variable oval:ssg-test_existence_of_var_accounts_user_umask_as_number_variable:tst:1 true
Following items have been found on the system:
| Var ref | Value |
|---|---|
| oval:ssg-var_accounts_user_umask_umask_as_number:var:1 | 63 |
umask value(s) from profile configuration files match the requirement oval:ssg-tst_accounts_umask_etc_profile:tst:1 false
Following items have been found on the system:
| Var ref | Value | Value | Value | Value | Value | Value | Value | Value |
|---|---|---|---|---|---|---|---|---|
| oval:ssg-var_etc_profile_umask_as_number:var:1 | 2 | 2 | 18 | 18 | 2 | 2 | 18 | 18 |
Ensure the Default Umask is Set Correctly For Interactive Users
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_umask_interactive_users |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_umask_interactive_users:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000366, CCI-001814, SRG-OS-000480-GPOS-00227, SRG-OS-000480-GPOS-00228, OL08-00-020352, SV-248720r858597_rule |
| Description | Remove the UMASK environment variable from all interactive users initialization files. |
| Rationale | The umask controls the default access mode assigned to newly created files. A
umask of 077 limits new files to mode 700 or less permissive. Although umask can
be represented as a four-digit number, the first digit representing special
access modes is typically ignored or required to be 0. This requirement
applies to the globally configured system defaults and the local interactive
user defaults for each account on the system. |
Umask must not be defined in user initialization files oval:ssg-test_accounts_umask_interactive_users:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_umask_interactive_users:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance | Filter |
|---|---|---|---|---|
| Referenced variable has no values (oval:ssg-var_accounts_umask_interactive_users_dirs:var:1). | ^\..* | ^[\s]*umask\s* | 1 | oval:ssg-state_accounts_umask_interactive_users_bash_history:ste:1 |
Ensure Home Directories are Created for New Users
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_have_homedir_login_defs |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_have_homedir_login_defs:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000366, SRG-OS-000480-GPOS-00227, OL08-00-010760, SV-248644r779498_rule |
| Description | All local interactive user accounts, upon creation, should be assigned a home directory.
Configure the operating system to assign home directories to all new local interactive users by setting the CREATE_HOME
parameter in /etc/login.defs to yes as follows:
CREATE_HOME yes |
| Rationale | If local interactive users are not assigned a valid home directory, there is no place
for the storage and control of files they should own. |
Check value of CREATE_HOME in /etc/login.defs oval:ssg-test_accounts_have_homedir_login_defs:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/login.defs | CREATE_HOME yes # This enables userdel to remove user groups if no members exist. |
Ensure the Logon Failure Delay is Set Correctly in login.defs
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_logon_fail_delay |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_logon_fail_delay:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, CCI-000366, 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, AC-7(b), CM-6(a), PR.IP-1, SRG-OS-000480-GPOS-00226, OL08-00-020310, SV-248712r779702_rule |
| Description | To ensure the logon failure delay controlled by /etc/login.defs is set properly,
add or correct the FAIL_DELAY setting in /etc/login.defs to read as follows:
FAIL_DELAY 4 |
| Rationale | Increasing the time between a failed authentication attempt and re-prompting to
enter credentials helps to slow a single-threaded brute force attack. |
check FAIL_DELAY in /etc/login.defs oval:ssg-test_accounts_logon_fail_delay:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_logon_fail_delay:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/login.defs | ^[\s]*(?i)FAIL_DELAY(?-i)[\s]+([^#\s]*) | 1 |
Limit the Number of Concurrent Login Sessions Allowed Per User
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_max_concurrent_login_sessions:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | low |
| Identifiers and References | References: 14, 15, 18, 9, 5.5.2.2, DSS01.05, DSS05.02, CCI-000054, 4.3.3.4, SR 3.1, SR 3.8, A.13.1.1, A.13.1.3, A.13.2.1, A.14.1.2, A.14.1.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, AC-10, CM-6(a), PR.AC-5, SRG-OS-000027-GPOS-00008, OL08-00-020024, SV-248666r877399_rule |
| Description | Limiting the number of allowed users and sessions per user can limit risks related to Denial of
Service attacks. This addresses concurrent sessions for a single account and does not address
concurrent sessions by a single user via multiple accounts. To set the number of concurrent
sessions per user add the following line in /etc/security/limits.conf or
a file under /etc/security/limits.d/:
* hard maxlogins 10 |
| Rationale | Limiting simultaneous user logins can insulate the system from denial of service
problems caused by excessive logins. Automated login processes operating improperly or
maliciously may result in an exceptional number of simultaneous login sessions. |
the value maxlogins should be set appropriately in /etc/security/limits.d/*.conf oval:ssg-test_limitsd_maxlogins:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_etc_security_limitsd_conf_maxlogins:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|---|---|---|
| /etc/security/limits.d | ^.*\.conf$ | ^[\s]*\*[\s]+(?:(?:hard)|(?:-))[\s]+maxlogins[\s]+(\d+)\s*$ | 1 |
the value maxlogins should be set appropriately in /etc/security/limits.d/*.conf oval:ssg-test_limitsd_maxlogins_exists:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_etc_security_limitsd_conf_maxlogins_exists:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|---|---|---|
| /etc/security/limits.d | ^.*\.conf$ | ^[\s]*\*[\s]+(?:(?:hard)|(?:-))[\s]+maxlogins | 1 |
the value maxlogins should be set appropriately in /etc/security/limits.conf oval:ssg-test_maxlogins:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_etc_security_limits_conf_maxlogins:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/security/limits.conf | ^[\s]*\*[\s]+(?:(?:hard)|(?:-))[\s]+maxlogins[\s]+(\d+)\s*$ | 1 |
User Initialization Files Must Not Run World-Writable Programs
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_user_dot_no_world_writable_programs |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_user_dot_no_world_writable_programs:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000366, SRG-OS-000480-GPOS-00227, OL08-00-010660, SV-248627r779447_rule |
| Description | Set the mode on files being executed by the user initialization files with the
following command:
$ sudo chmod o-w FILE |
| Rationale | If user start-up files execute world-writable programs, especially in
unprotected directories, they could be maliciously modified to destroy user
files or otherwise compromise the system at the user level. If the system is
compromised at the user level, it is easier to elevate privileges to eventually
compromise the system at the root and network level. |
Init files do not execute world-writable programs oval:ssg-test_accounts_user_dot_no_world_writable_programs:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_user_dot_no_world_writable_programs_init_files:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|---|---|---|
| ^(\.bashrc|\.zshrc|\.cshrc|\.profile|\.bash_login|\.bash_profile)$Referenced variable has no values (oval:ssg-var_accounts_user_dot_no_world_writable_programs_dirs:v | 1 |
Ensure that Users Path Contains Only Local Directories
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_user_home_paths_only |
| Result | notchecked |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000366, SRG-OS-000480-GPOS-00227, OL08-00-010690, SV-248635r779471_rule |
| Description | Ensure that all interactive user initialization files executable search
path statements do not contain statements that will reference a working
directory other than the users home directory. |
| Rationale | The executable search path (typically the PATH environment variable) contains a
list of directories for the shell to search to find executables. If this path
includes the current working directory (other than the users home directory),
executables in these directories may be executed instead of system commands.
This variable is formatted as a colon-separated list of directories. If there is
an empty entry, such as a leading or trailing colon or two consecutive colons,
this is interpreted as the current working directory. If deviations from the
default system search path for the local interactive user are required, they
must be documented with the Information System Security Officer (ISSO). |
All Interactive Users Must Have A Home Directory Defined
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_defined |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_user_interactive_home_directory_defined:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000366, SRG-OS-000480-GPOS-00227, OL08-00-010720, SV-248638r779480_rule |
| Description | Assign home directories to all interactive users that currently do not
have a home directory assigned.
This rule checks if the home directory is properly defined in a folder which has
at least one parent folder, like "user" in "/home/user" or "/remote/users/user".
Therefore, this rule will report a finding for home directories like /users,
/tmp or /. |
| Rationale | If local interactive users are not assigned a valid home directory, there is no
place for the storage and control of files they should own. |
All Interactive Users Have A Home Directory Defined oval:ssg-test_accounts_user_interactive_home_directory_defined:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_user_interactive_home_directory_defined_objects:obj:1 of type password_object
| Username | Filter | Filter | Filter |
|---|---|---|---|
| .* | oval:ssg-state_accounts_user_interactive_home_directory_defined_users_uids:ste:1 | oval:ssg-state_accounts_user_interactive_home_directory_defined_users_ignored:ste:1 | oval:ssg-state_accounts_user_interactive_home_directory_defined_users_nologin_shell:ste:1 |
All Interactive Users Home Directories Must Exist
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_user_interactive_home_directory_exists:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000366, SRG-OS-000480-GPOS-00227, OL08-00-010750, SV-248643r779495_rule |
| Description | Create home directories to all local interactive users that currently do not
have a home directory assigned. Use the following commands to create the user
home directory assigned in /etc/passwd:
$ sudo mkdir /home/USER |
| Rationale | If a local interactive user has a home directory defined that does not exist,
the user may be given access to the / directory as the current working directory
upon logon. This could create a Denial of Service because the user would not be
able to access their logon configuration files, and it may give them visibility
to system files they normally would not be able to access. |
Check the existence of interactive users. oval:ssg-test_accounts_user_interactive_home_directory_exists:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_user_interactive_home_directory_exists_dirs_count_fs:obj:1 of type variable_object
| Var ref |
|---|
| oval:ssg-var_accounts_user_interactive_home_directory_exists_dirs_count_fs:var:1 |
Check the existence of interactive users. oval:ssg-test_accounts_user_interactive_home_directory_exists_users:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_user_interactive_home_directory_exists_dirs_count_pw:obj:1 of type variable_object
| Var ref |
|---|
| oval:ssg-var_accounts_user_interactive_home_directory_exists_dirs_count:var:1 |
All User Files and Directories In The Home Directory Must Be Group-Owned By The Primary Group
| Rule ID | xccdf_org.ssgproject.content_rule_accounts_users_home_files_groupownership |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-accounts_users_home_files_groupownership:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000366, SRG-OS-000480-GPOS-00227, OL08-00-010741, SV-248642r779492_rule |
| Description | Change the group of a local interactive users files and directories to a
group that the interactive user is a member of. To change the group owner of a
local interactive users files and directories, use the following command:
$ sudo chgrp USER_GROUP /home/USER/FILE_DIRThis rule ensures every file or directory under the home directory related to an interactive user is group-owned by an interactive user. |
| Rationale | If a local interactive users files are group-owned by a group of which the
user is not a member, unintended users may be able to access them. |
| Warnings | warning
Due to OVAL limitation, this rule can report a false negative in a
specific situation where two interactive users swap the group-ownership
of folders or files in their respective home directories. |
All home directories files are group-owned by a local interactive user oval:ssg-test_accounts_users_home_files_groupownership:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_users_home_files_groupownership_dirs:obj:1 of type file_object
| Behaviors | Path | Filename |
|---|---|---|
| Referenced variable has no values (oval:ssg-var_accounts_users_home_files_groupownership_dirs:var:1 | no value | .* |
All Interactive User Home Directories Must Be Group-Owned By The Primary Group
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupownership_home_directories |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupownership_home_directories:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000366, SRG-OS-000480-GPOS-00227, OL08-00-010740, SV-248641r880567_rule |
| Description | Change the group owner of interactive users home directory to the
group found in /etc/passwd. To change the group owner of
interactive users home directory, use the following command:
$ sudo chgrp USER_GROUP /home/USERThis rule ensures every home directory related to an interactive user is group-owned by an interactive user. It also ensures that interactive users are group-owners of one and only one home directory. |
| Rationale | If the Group Identifier (GID) of a local interactive users home directory is
not the same as the primary GID of the user, this would allow unauthorized
access to the users files, and users that share the same group may not be
able to access files that they legitimately should. |
| Warnings | warning
Due to OVAL limitation, this rule can report a false negative in a
specific situation where two interactive users swap the group-ownership
of their respective home directories. |
All home directories are group-owned by a local interactive group oval:ssg-test_file_groupownership_home_directories:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownership_home_directories_dirs:obj:1 of type file_object
| Path | Filename |
|---|---|
| Referenced variable has no values (oval:ssg-var_file_groupownership_home_directories_dirs:var:1). | no value |
Verify Group Who Owns lastlog Command
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupownership_lastlog |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupownership_lastlog:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-001314, SI-11(b), SI-11(c), SI-11.1(iv), SRG-OS-000206-GPOS-00084, OL08-00-020264, SV-248707r779687_rule |
| Description |
To properly set the group owner of /var/log/lastlog, run the command:
$ sudo chgrp root /var/log/lastlog |
| Rationale | Unauthorized disclosure of the contents of the /var/log/lastlog file can reveal system data to
attackers, thus compromising its confidentiality. |
Testing group ownership of /usr/bin/lastlog oval:ssg-test_file_groupownership_lastlog_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownership_lastlog_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| /usr/bin/lastlog | oval:ssg-symlink_file_groupownership_lastlog_uid_0:ste:1 | oval:ssg-state_file_groupownership_lastlog_gid_0_0:ste:1 |
Verify Owner on lastlog Command
| Rule ID | xccdf_org.ssgproject.content_rule_file_ownership_lastlog |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_ownership_lastlog:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-001314, SI-11(b), SI-11(c), SI-11.1(iv), SRG-OS-000206-GPOS-00084, OL08-00-020263, SV-248706r779684_rule |
| Description |
To properly set the owner of /usr/bin/lastlog, run the command:
$ sudo chown root /usr/bin/lastlog |
| Rationale | Unauthorized disclosure of the contents of the /var/log/lastlog file can reveal system data to
attackers, thus compromising its confidentiality. |
Testing user ownership of /usr/bin/lastlog oval:ssg-test_file_ownership_lastlog_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownership_lastlog_0:obj:1 of type file_object
| Filepath | Filter | Filter |
|---|---|---|
| /usr/bin/lastlog | oval:ssg-symlink_file_ownership_lastlog_uid_0:ste:1 | oval:ssg-state_file_ownership_lastlog_uid_0_0:ste:1 |
Record Events that Modify the System's Discretionary Access Controls - chmod
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, OL08-00-030490, SV-248791r853829_rule |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
Record Events that Modify the System's Discretionary Access Controls - chown
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, OL08-00-030480, SV-248790r853828_rule |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
Record Events that Modify the System's Discretionary Access Controls - fchmod
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, OL08-00-030490, SV-248791r853829_rule |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
Record Events that Modify the System's Discretionary Access Controls - fchmodat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, OL08-00-030490, SV-248791r853829_rule |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
Record Events that Modify the System's Discretionary Access Controls - fchown
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, OL08-00-030480, SV-248790r853828_rule |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
Record Events that Modify the System's Discretionary Access Controls - fchownat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, OL08-00-030480, SV-248790r853828_rule |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
Record Events that Modify the System's Discretionary Access Controls - fremovexattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000064-GPOS-00033, OL08-00-030200, SV-248748r853804_rule |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
Record Events that Modify the System's Discretionary Access Controls - fsetxattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000064-GPOS-00033, OL08-00-030200, SV-248748r853804_rule |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
Record Events that Modify the System's Discretionary Access Controls - lchown
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, OL08-00-030480, SV-248790r853828_rule |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
Record Events that Modify the System's Discretionary Access Controls - lremovexattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210, SRG-OS-000064-GPOS-00033, OL08-00-030200, SV-248748r853804_rule |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root.
If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
Record Events that Modify the System's Discretionary Access Controls - lsetxattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000064-GPOS-00033, OL08-00-030200, SV-248748r853804_rule |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
Record Events that Modify the System's Discretionary Access Controls - removexattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210, SRG-OS-000064-GPOS-00033, OL08-00-030200, SV-248748r853804_rule |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root.
If the auditd daemon is configured to use the augenrules
program to read audit rules during daemon startup (the default), add the
following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod If the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
Record Events that Modify the System's Discretionary Access Controls - setxattr
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 10.3.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, OL08-00-030200, SV-248748r853804_rule |
| Description | At a minimum, the audit system should collect file permission
changes for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following line to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_modIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_modIf the system is 64 bit then also add the following line: -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod |
| Rationale | The changing of file permissions could indicate that a user is attempting to
gain access to information that would otherwise be disallowed. Auditing DAC modifications
can facilitate the identification of patterns of abuse among both authorized and
unauthorized users. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
Record Any Attempts to Run chacl
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_execution_chacl |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, OL08-00-030570, SV-248799r853832_rule |
| Description | At a minimum, the audit system should collect any execution attempt
of the chacl command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Without generating audit records that are specific to the security and
mission needs of the organization, it would be difficult to establish,
correlate, and investigate the events relating to an incident or identify
those responsible for one.
Audit records can be generated from various components within the
information system (e.g., module or policy filter). |
Record Any Attempts to Run setfacl
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_execution_setfacl |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, OL08-00-030330, SV-248770r853818_rule |
| Description | At a minimum, the audit system should collect any execution attempt
of the setfacl command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Without generating audit records that are specific to the security and
mission needs of the organization, it would be difficult to establish,
correlate, and investigate the events relating to an incident or identify
those responsible for one.
Audit records can be generated from various components within the
information system (e.g., module or policy filter). |
Record Any Attempts to Run chcon
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, OL08-00-030260, SV-248754r853806_rule |
| Description | At a minimum, the audit system should collect any execution attempt
of the chcon command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
Record Any Attempts to Run semanage
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_execution_semanage |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, OL08-00-030313, SV-248764r779858_rule |
| Description | At a minimum, the audit system should collect any execution attempt
of the semanage command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
Record Any Attempts to Run setfiles
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000169, CCI-000172, CCI-002884, AU-2(d), AU-12(c), AC-6(9), CM-6(a), SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, OL08-00-030314, SV-248765r779861_rule |
| Description | At a minimum, the audit system should collect any execution attempt
of the setfiles command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
Record Any Attempts to Run setsebool
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, OL08-00-030316, SV-248767r853815_rule |
| Description | At a minimum, the audit system should collect any execution attempt
of the setsebool command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
Ensure auditd Collects File Deletion Events by User - rename
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-000366, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, 10.2.1.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, OL08-00-030361, SV-248774r853822_rule |
| Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=deleteIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete |
| Rationale | Auditing file deletions will create an audit trail for files that are removed
from the system. The audit trail could aid in system troubleshooting, as well as, detecting
malicious processes that attempt to delete log files to conceal their presence. |
Ensure auditd Collects File Deletion Events by User - renameat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-000366, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, 10.2.1.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, OL08-00-030361, SV-248774r853822_rule |
| Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=deleteIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete |
| Rationale | Auditing file deletions will create an audit trail for files that are removed
from the system. The audit trail could aid in system troubleshooting, as well as, detecting
malicious processes that attempt to delete log files to conceal their presence. |
Ensure auditd Collects File Deletion Events by User - rmdir
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-000366, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, 10.2.1.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, OL08-00-030361, SV-248774r853822_rule |
| Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=deleteIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S rmdir -F auid>=1000 -F auid!=unset -F key=delete |
| Rationale | Auditing file deletions will create an audit trail for files that are removed
from the system. The audit trail could aid in system troubleshooting, as well as, detecting
malicious processes that attempt to delete log files to conceal their presence. |
Ensure auditd Collects File Deletion Events by User - unlink
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-000366, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, 10.2.1.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, OL08-00-030361, SV-248774r853822_rule |
| Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=deleteIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S unlink -F auid>=1000 -F auid!=unset -F key=delete |
| Rationale | Auditing file deletions will create an audit trail for files that are removed
from the system. The audit trail could aid in system troubleshooting, as well as, detecting
malicious processes that attempt to delete log files to conceal their presence. |
Ensure auditd Collects File Deletion Events by User - unlinkat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-000366, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, 10.2.1.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, OL08-00-030361, SV-248774r853822_rule |
| Description | At a minimum, the audit system should collect file deletion events
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=deleteIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete |
| Rationale | Auditing file deletions will create an audit trail for files that are removed
from the system. The audit trail could aid in system troubleshooting, as well as, detecting
malicious processes that attempt to delete log files to conceal their presence. |
Record Unsuccessful Access Attempts to Files - creat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, 10.2.1.1, 10.2.1.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, OL08-00-030420, SV-248784r853827_rule |
| Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
Record Unsuccessful Access Attempts to Files - ftruncate
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, 10.2.1.1, 10.2.1.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, OL08-00-030420, SV-248784r853827_rule |
| Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
Record Unsuccessful Access Attempts to Files - open
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, 10.2.1.1, 10.2.1.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, OL08-00-030420, SV-248784r853827_rule |
| Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
Record Unsuccessful Access Attempts to Files - open_by_handle_at
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, 10.2.1.1, 10.2.1.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, OL08-00-030420, SV-248784r853827_rule |
| Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
Record Unsuccessful Access Attempts to Files - openat
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, 10.2.1.1, 10.2.1.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, OL08-00-030420, SV-248784r853827_rule |
| Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
Record Unsuccessful Access Attempts to Files - truncate
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, 10.2.1.1, 10.2.1.4, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, OL08-00-030420, SV-248784r853827_rule |
| Description | At a minimum, the audit system should collect unauthorized file
accesses for all users and root. If the auditd daemon is configured
to use the augenrules program to read audit rules during daemon
startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=accessIf the system is 64 bit then also add the following lines: -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access |
| Rationale | Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
these events could serve as evidence of potential system compromise. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. Here the system calls
have been placed independent of other system calls. Grouping these system
calls with others as identifying earlier in this guide is more efficient. |
Ensure auditd Collects Information on Kernel Module Unloading - delete_module
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, 10.2.1.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, OL08-00-030390, SV-248781r853824_rule |
| Description | To capture kernel module unloading events, use following line, setting ARCH to
either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S delete_module -F auid>=1000 -F auid!=unset -F key=modulesPlace to add the line depends on a way auditd daemon is configured. If it is configured
to use the augenrules program (the default), add the line to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl utility,
add the line to file /etc/audit/audit.rules. |
| Rationale | The removal of kernel modules can be used to alter the behavior of
the kernel and potentially introduce malicious code into kernel space. It is important
to have an audit trail of modules that have been introduced into the kernel. |
Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, 10.2.1.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, OL08-00-030360, SV-248773r853821_rule |
| Description | If the auditd daemon is configured to use the augenrules program
to read audit rules during daemon startup (the default), add the following lines to a file
with suffix .rules in the directory /etc/audit/rules.d to capture kernel module
loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modulesIf the auditd daemon is configured to use the auditctl utility to read audit
rules during daemon startup, add the following lines to /etc/audit/audit.rules file
in order to capture kernel module loading and unloading events, setting ARCH to either b32 or
b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S finit_module -F auid>=1000 -F auid!=unset -F key=modules |
| Rationale | The addition/removal of kernel modules can be used to alter the behavior of
the kernel and potentially introduce malicious code into kernel space. It is important
to have an audit trail of modules that have been introduced into the kernel. |
Ensure auditd Collects Information on Kernel Module Loading - init_module
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, 10.2.1.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, OL08-00-030360, SV-248773r853821_rule |
| Description | To capture kernel module loading events, use following line, setting ARCH to
either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S init_module -F auid>=1000 -F auid!=unset -F key=modulesPlace to add the line depends on a way auditd daemon is configured. If it is configured
to use the augenrules program (the default), add the line to a file with suffix
.rules in the directory /etc/audit/rules.d.
If the auditd daemon is configured to use the auditctl utility,
add the line to file /etc/audit/audit.rules. |
| Rationale | The addition of kernel modules can be used to alter the behavior of
the kernel and potentially introduce malicious code into kernel space. It is important
to have an audit trail of modules that have been introduced into the kernel. |
Record Attempts to Alter Logon and Logout Events - faillock
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.3, 10.2.1.3, SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218, OL08-00-030590, SV-248801r853834_rule |
| Description | The audit system already collects login information for all users
and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d in order to watch for attempted manual
edits of files involved in storing logon events:
-w /var/log/faillock -p wa -k loginsIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for unattempted manual
edits of files involved in storing logon events:
-w /var/log/faillock -p wa -k logins |
| Rationale | Manual editing of these files may indicate nefarious activity, such
as an attacker attempting to remove evidence of an intrusion. |
Record Attempts to Alter Logon and Logout Events - lastlog
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.3, 10.2.1.3, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000473-GPOS-00218, SRG-OS-000470-GPOS-00214, OL08-00-030600, SV-248802r853835_rule |
| Description | The audit system already collects login information for all users
and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules in the
directory /etc/audit/rules.d in order to watch for attempted manual
edits of files involved in storing logon events:
-w /var/log/lastlog -p wa -k loginsIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file in order to watch for unattempted manual
edits of files involved in storing logon events:
-w /var/log/lastlog -p wa -k logins |
| Rationale | Manual editing of these files may indicate nefarious activity, such
as an attacker attempting to remove evidence of an intrusion. |
Ensure auditd Collects Information on the Use of Privileged Commands - chage
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-APP-000029-CTR-000085, OL08-00-030250, SV-248753r853805_rule |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
Ensure auditd Collects Information on the Use of Privileged Commands - chsh
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, OL08-00-030410, SV-248783r853826_rule |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
Ensure auditd Collects Information on the Use of Privileged Commands - crontab
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, OL08-00-030400, SV-248782r853825_rule |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000029-CTR-000085, OL08-00-030370, SV-248779r853823_rule |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
Ensure auditd Collects Information on the Use of Privileged Commands - kmod
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_kmod |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R73), CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, AU-3, AU-3.1, AU-12(a), AU-12.1(ii), AU-12.1(iv)AU-12(c), MA-4(1)(a), SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, OL08-00-030580, SV-248800r853833_rule |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-w /usr/bin/kmod -p x -k modulesIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-w /usr/bin/kmod -p x -k modules |
| Rationale | Without generating audit records that are specific to the security and
mission needs of the organization, it would be difficult to establish,
correlate, and investigate the events relating to an incident or identify
those responsible for one.
Audit records can be generated from various components within the
information system (e.g., module or policy filter). |
Ensure auditd Collects Information on the Use of Privileged Commands - mount
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_mount |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, AU-2(d), AU-12(c), AC-6(9), CM-6(a), FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000029-CTR-000085, OL08-00-030300, SV-248758r853809_rule |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
Ensure auditd Collects Information on the Use of Privileged Commands - newgrp
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000169, CCI-000135, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000029-CTR-000085, OL08-00-030350, SV-248772r853820_rule |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
Ensure auditd Collects Information on the Use of Privileged Commands - passwd
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000029-CTR-000085, OL08-00-030290, SV-248757r853808_rule |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
Ensure auditd Collects Information on the Use of Privileged Commands - postdrop
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, OL08-00-030311, SV-248762r853813_rule |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
Ensure auditd Collects Information on the Use of Privileged Commands - postqueue
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postqueue |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, OL08-00-030312, SV-248763r853814_rule |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
Record Any Attempts to Run ssh-agent
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_agent |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, OL08-00-030280, SV-248756r853807_rule |
| Description | At a minimum, the audit system should collect any execution attempt
of the ssh-agent command for all users and root. If the auditd
daemon is configured to use the augenrules program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agentIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules file:
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh-agent |
| Rationale | Without generating audit records that are specific to the security and
mission needs of the organization, it would be difficult to establish,
correlate, and investigate the events relating to an incident or identify
those responsible for one.
Audit records can be generated from various components within the
information system (e.g., module or policy filter). |
Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000029-CTR-000085, OL08-00-030320, SV-248769r853817_rule |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
Ensure auditd Collects Information on the Use of Privileged Commands - su
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-0003, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-APP-000029-CTR-000085, OL08-00-030190, SV-248747r853803_rule |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
Ensure auditd Collects Information on the Use of Privileged Commands - sudo
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R19), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-APP-000029-CTR-000085, OL08-00-030550, SV-248797r853830_rule |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
Ensure auditd Collects Information on the Use of Privileged Commands - umount
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000169, CCI-000135, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000029-CTR-000085, OL08-00-030301, SV-248759r853810_rule |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, CIP-007-3 R6.5, AC-2(4), AU-2(d), AU-3, AU-3.1, AU-12(a), AU-12(c), AU-12.1(ii), AU-12.1(iv), AC-6(9), CM-6(a), MA-4(1)(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-APP-000029-CTR-000085, OL08-00-030317, SV-248768r853816_rule |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
Ensure auditd Collects Information on the Use of Privileged Commands - unix_update
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_update |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000064-GPOS-00033, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, OL08-00-030310, SV-248761r853812_rule |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
Ensure auditd Collects Information on the Use of Privileged Commands - userhelper
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, OL08-00-030315, SV-248766r779864_rule |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
Ensure auditd Collects Information on the Use of Privileged Commands - usermod
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_usermod |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, OL08-00-030560, SV-248798r853831_rule |
| Description | At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd daemon is
configured to use the augenrules program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privilegedIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules:
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have compromised system accounts,
is a serious and ongoing concern and can have significant adverse impacts on organizations.
Auditing the use of privileged functions is one way to detect such misuse and identify
the risk from insider and advanced persistent threats.
Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity. |
Make the auditd Configuration Immutable
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_immutable |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R73), 1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO01.06, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.4.3, CCI-000162, CCI-000163, CCI-000164, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.310(a)(2)(iv), 164.312(d), 164.310(d)(2)(iii), 164.312(b), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, ID.SC-4, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.5.2, 10.3.2, SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, OL08-00-030121, SV-248738r779780_rule |
| Description | If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the
default), add the following line to a file with suffix .rules in the
directory /etc/audit/rules.d in order to make the auditd configuration
immutable:
-e 2If the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file in order to make the auditd configuration
immutable:
-e 2With this setting, a reboot will be required to change any audit rules. |
| Rationale | Making the audit configuration immutable prevents accidental as
well as malicious modification of the audit rules, although it may be
problematic if legitimate changes are needed during system
operation. |
Ensure auditd Collects Information on Exporting to Media (successful)
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_media_export |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R73), 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.2.7, 10.2.1.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, OL08-00-030302, SV-248760r853811_rule |
| Description | At a minimum, the audit system should collect media exportation
events for all users and root. If the auditd daemon is configured to
use the augenrules program to read audit rules during daemon startup
(the default), add the following line to a file with suffix .rules in
the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=exportIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file, setting ARCH to either b32 or b64 as
appropriate for your system:
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export |
| Rationale | The unauthorized exportation of data to external media could result in an information leak
where classified information, Privacy Act information, and intellectual property could be lost. An audit
trail should be created each time a filesystem is mounted to help identify and guard against information
loss. |
Ensure auditd Collects System Administrator Actions - /etc/sudoers
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_sudoers |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000018, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-002130, CCI-002132, CCI-002884, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, OL08-00-030171, SV-248745r853801_rule |
| Description | At a minimum, the audit system should collect administrator actions
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the default),
add the following line to a file with suffix .rules in the directory
/etc/audit/rules.d:
-w /etc/sudoers -p wa -k actionsIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-w /etc/sudoers -p wa -k actions |
| Rationale | The actions taken by system administrators should be audited to keep a record
of what was executed on the system, as well as, for accountability purposes.
Editing the sudoers file may be sign of an attacker trying to
establish persistent methods to a system, auditing the editing of the sudoers
files mitigates this risk. |
Ensure auditd Collects System Administrator Actions - /etc/sudoers.d/
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_sudoers_d |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000018, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-002130, CCI-002132, CCI-002884, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, OL08-00-030172, SV-248746r853802_rule |
| Description | At a minimum, the audit system should collect administrator actions
for all users and root. If the auditd daemon is configured to use the
augenrules program to read audit rules during daemon startup (the default),
add the following line to a file with suffix .rules in the directory
/etc/audit/rules.d:
-w /etc/sudoers.d/ -p wa -k actionsIf the auditd daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to
/etc/audit/audit.rules file:
-w /etc/sudoers.d/ -p wa -k actions |
| Rationale | The actions taken by system administrators should be audited to keep a record
of what was executed on the system, as well as, for accountability purposes.
Editing the sudoers file may be sign of an attacker trying to
establish persistent methods to a system, auditing the editing of the sudoers
files mitigates this risk. |
Record Events When Privileged Executables Are Run
| Rule ID | xccdf_org.ssgproject.content_rule_audit_rules_suid_privilege_function |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-001814, CCI-001882, CCI-001889, CCI-001880, CCI-001881, CCI-001878, CCI-001879, CCI-001875, CCI-001877, CCI-001914, CCI-002233, CCI-002234, CM-5(1), AU-7(a), AU-7(b), AU-8(b), AU-12(3), AC-6(9), SRG-OS-000326-GPOS-00126, SRG-OS-000327-GPOS-00127, SRG-APP-000343-CTR-000780, SRG-APP-000381-CTR-000905, OL08-00-030000, SV-248722r853794_rule |
| Description | Verify the system generates an audit record when privileged functions are executed.
If audit is using the "auditctl" tool to load the rules, run the following command:
$ sudo grep execve /etc/audit/audit.rulesIf audit is using the "augenrules" tool to load the rules, run the following command: $ sudo grep -r execve /etc/audit/rules.d -a always,exit -F arch=b32 -S execve -C uid!=euid -k setuid -a always,exit -F arch=b64 -S execve -C uid!=euid -k setuid -a always,exit -F arch=b32 -S execve -C gid!=egid -k setgid -a always,exit -F arch=b64 -S execve -C gid!=egid -k setgidIf both the "b32" and "b64" audit rules for "SUID" files are not defined, this is a finding. If both the "b32" and "b64" audit rules for "SGID" files are not defined, this is a finding. |
| Rationale | Misuse of privileged functions, either intentionally or unintentionally by
authorized users, or by unauthorized external entities that have
compromised information system accounts, is a serious and ongoing concern
and can have significant adverse impacts on organizations. Auditing the use
of privileged functions is one way to detect such misuse and identify the
risk from insider threats and the advanced persistent threat. |
| Warnings | warning
Note that these rules can be configured in a
number of ways while still achieving the desired effect. |
Record Events that Modify User/Group Information - /etc/group
Record Events that Modify User/Group Information - /etc/gshadow
Record Events that Modify User/Group Information - /etc/security/opasswd
Record Events that Modify User/Group Information - /etc/passwd
Record Events that Modify User/Group Information - /etc/shadow
System Audit Directories Must Be Group Owned By Root
System Audit Directories Must Be Owned By Root
System Audit Logs Must Be Group Owned By Root
| Rule ID | xccdf_org.ssgproject.content_rule_file_group_ownership_var_log_audit |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: 1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO01.06, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.1, CCI-000162, CCI-000163, CCI-000164, CCI-001314, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), AU-9(4), DE.AE-3, DE.AE-5, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.5.1, SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084, OL08-00-030090, SV-248734r779768_rule |
| Description | All audit logs must be group owned by root user. The path for audit log can
be configured via log_file parameter in /etc/audit/auditd.confor, by default, the path for audit log is /var/log/audit/. To properly set the group owner of /var/log/audit/*, run the command:
$ sudo chgrp root /var/log/audit/* |
| Rationale | Unauthorized disclosure of audit records can reveal system and configuration data to
attackers, thus compromising its confidentiality. |
System Audit Logs Must Be Owned By Root
| Rule ID | xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit_stig |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: 1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO01.06, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA02.01, 3.3.1, CCI-000162, CCI-000163, CCI-000164, CCI-001314, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), AU-9(4), DE.AE-3, DE.AE-5, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.5.1, SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, SRG-OS-000206-GPOS-00084, OL08-00-030080, SV-248733r779765_rule |
| Description | All audit logs must be owned by root user. The path for audit log can be
configured via log_file parameter in /etc/audit/auditd.confor by default, the path for audit log is /var/log/audit/. To properly set the owner of /var/log/audit/*, run the command:
$ sudo chown root /var/log/audit/* |
| Rationale | Unauthorized disclosure of audit records can reveal system and configuration data to
attackers, thus compromising its confidentiality. |
Configure a Sufficiently Large Partition for Audit Logs
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_audispd_configure_sufficiently_large_partition |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-001849, SRG-OS-000341-GPOS-00132, SRG-OS-000342-GPOS-00133, OL08-00-030660, SV-248811r877391_rule |
| Description | The Oracle Linux 8 operating system must allocate audit record storage
capacity to store at least one weeks worth of audit records when audit
records are not immediately sent to a central audit record storage
facility.
The partition size needed to capture a week's worth of audit records is
based on the activity level of the system and the total storage capacity
available. In normal circumstances, 10.0 GB of storage space for audit
records will be sufficient.
Determine which partition the audit records are being written to with the
following command:
$ sudo grep log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.logCheck the size of the partition that audit records are written to with the following command: $ sudo df -h /var/log/audit/ /dev/sda2 24G 10.4G 13.6G 43% /var/log/audit |
| Rationale | Information stored in one location is vulnerable to accidental or incidental
deletion or alteration. Off-loading is a common process in information
systems with limited audit storage capacity. |
Configure auditd Disk Error Action on Disk Error
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_disk_error_action |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, CCI-000140, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, SRG-OS-000047-GPOS-00023, OL08-00-030040, SV-248726r779744_rule |
| Description | The auditd service can be configured to take an action
when there is a disk error.
Edit the file /etc/audit/auditd.conf. Add or modify the following line,
substituting ACTION appropriately:
disk_error_action = ACTIONSet this value to single to cause the system to switch to single-user
mode for corrective action. Acceptable values also include syslog,
exec, single, and halt. For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined. Details regarding all possible values for ACTION are described in the
auditd.conf man page. |
| Rationale | Taking appropriate action in case of disk errors will minimize the possibility of
losing audit records. |
Configure auditd Disk Full Action when Disk Space Is Full
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_disk_full_action |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, CCI-000140, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, SRG-OS-000047-GPOS-00023, OL08-00-030060, SV-248728r779750_rule |
| Description | The auditd service can be configured to take an action
when disk space is running low but prior to running out of space completely.
Edit the file /etc/audit/auditd.conf. Add or modify the following line,
substituting ACTION appropriately:
disk_full_action = ACTIONSet this value to single to cause the system to switch to single-user
mode for corrective action. Acceptable values also include syslog,
exec,
single, and halt. For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined. Details regarding all possible values for ACTION are described in the
auditd.conf man page. |
| Rationale | Taking appropriate action in case of a filled audit storage volume will minimize
the possibility of losing audit records. |
Configure auditd mail_acct Action on Low Disk Space
Configure auditd space_left Action on Low Disk Space
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 3.3.1, CCI-001855, 164.312(a)(2)(ii), 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7, 10.5.1, SRG-OS-000343-GPOS-00134, OL08-00-030731, SV-248819r877389_rule |
| Description | The auditd service can be configured to take an action
when disk space starts to run low.
Edit the file /etc/audit/auditd.conf. Modify the following line,
substituting ACTION appropriately:
space_left_action = ACTIONPossible values for ACTION are described in the auditd.conf man page.
These include:
email (instead of the default,
which is suspend) as it is more likely to get prompt attention. Acceptable values
also include suspend, single, and halt. |
| Rationale | Notifying administrators of an impending disk space problem may
allow them to take corrective action prior to any disruption. |
Configure auditd space_left on Low Disk Space
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_percentage |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: 1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, CCI-001855, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7, SRG-OS-000343-GPOS-00134, OL08-00-030730, SV-248818r877389_rule |
| Description | The auditd service can be configured to take an action
when disk space is running low but prior to running out of space completely.
Edit the file /etc/audit/auditd.conf. Add or modify the following line,
substituting PERCENTAGE appropriately:
space_left = PERCENTAGE%Set this value to at least 25 to cause the system to notify the user of an issue. |
| Rationale | Notifying administrators of an impending disk space problem may allow them to
take corrective action prior to any disruption. |
Include Local Events in Audit Logs
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_local_events |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000366, CM-6, FAU_GEN.1, SRG-OS-000062-GPOS-00031, SRG-OS-000480-GPOS-00227, OL08-00-030061, SV-248729r779753_rule |
| Description | To configure Audit daemon to include local events in Audit logs, set
local_events to yes in /etc/audit/auditd.conf.
This is the default setting. |
| Rationale | If option local_events isn't set to yes only events from
network will be aggregated. |
Resolve information before writing to audit logs
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_log_format |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | low |
| Identifiers and References | References: CCI-000366, CM-6, AU-3, FAU_GEN.1.2, SRG-OS-000255-GPOS-00096, SRG-OS-000480-GPOS-00227, OL08-00-030063, SV-248731r779759_rule |
| Description | To configure Audit daemon to resolve all uid, gid, syscall,
architecture, and socket address information before writing the
events to disk, set log_format to ENRICHED
in /etc/audit/auditd.conf. |
| Rationale | If option log_format isn't set to ENRICHED, the
audit records will be stored in a format exactly as the kernel sends them. |
Set hostname as computer node name in audit logs
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_name_format |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-001851, CM-6, AU-3, FAU_GEN.1.2, SRG-OS-000039-GPOS-00017, SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224, OL08-00-030062, SV-248730r877390_rule |
| Description | To configure Audit daemon to use value returned by gethostname
syscall as computer node name in the audit events,
set name_format to hostname
in /etc/audit/auditd.conf. |
| Rationale | If option name_format is left at its default value of
none, audit events from different computers may be hard
to distinguish. |
Appropriate Action Must be Setup When the Internal Audit Event Queue is Full
| Rule ID | xccdf_org.ssgproject.content_rule_auditd_overflow_action |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-001851, AU-4(1), SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224, OL08-00-030700, SV-248815r877390_rule |
| Description | The audit system should have an action setup in the event the internal event queue becomes full.
To setup an overflow action edit /etc/audit/auditd.conf. Set overflow_action
to one of the following values: syslog, single, halt. |
| Rationale | The audit system should have an action setup in the event the internal event queue becomes full
so that no data is lost. |
Configure immutable Audit login UIDs
| Rule ID | xccdf_org.ssgproject.content_rule_audit_immutable_login_uids |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000162, CCI-000163, CCI-000164, AU-2(a), FAU_GEN.1.2, SRG-OS-000462-GPOS-00206, SRG-OS-000475-GPOS-00220, SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, OL08-00-030122, SV-248739r779783_rule |
| Description | Configure kernel to prevent modification of login UIDs once they are set.
Changing login UIDs while this configuration is enforced requires special capabilities which
are not available to unprivileged users.
The following rules configure audit as described above:
## Make the loginuid immutable. This prevents tampering with the auid. --loginuid-immutableLoad new Audit rules into kernel by running: augenrules --load |
| Rationale | If modification of login UIDs is not prevented, they can be changed by unprivileged users and
make auditing complicated or impossible. |
Ensure the audit Subsystem is Installed
Enable auditd Service
Enable Auditing for Processes Which Start Prior to the Audit Daemon
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_audit_argument |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | low |
| Identifiers and References | References: 1, 11, 12, 13, 14, 15, 16, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.02, DSS05.03, DSS05.04, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, CCI-001464, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AC-17(1), AU-14(1), AU-10, CM-6(a), IR-5(1), DE.AE-3, DE.AE-5, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.3, 10.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000473-GPOS-00218, SRG-OS-000254-GPOS-00095, OL08-00-030601, SV-248803r853836_rule |
| Description | To ensure all processes can be audited, even those which start
prior to the audit daemon, add the argument audit=1 to the default
GRUB 2 command line for the Linux operating system.
To ensure that audit=1 is added as a kernel command line
argument to newly installed kernels, add audit=1 to the
default Grub2 command line for Linux operating systems. Modify the line within
/etc/default/grub as shown below:
GRUB_CMDLINE_LINUX="... audit=1 ..."Run the following command to update command line for already installed kernels: # grubby --update-kernel=ALL --args="audit=1" |
| Rationale | Each process on the system carries an "auditable" flag which indicates whether
its activities can be audited. Although auditd takes care of enabling
this for all processes which launch after it does, adding the kernel argument
ensures it is set for every process during boot. |
Extend Audit Backlog Limit for the Audit Daemon
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | low |
| Identifiers and References | References: CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001849, CCI-002884, CM-6(a), FAU_STG.1, FAU_STG.3, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000254-GPOS-00095, SRG-OS-000341-GPOS-00132, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, OL08-00-030602, SV-248804r853837_rule |
| Description | To improve the kernel capacity to queue all log events, even those which occurred
prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default
GRUB 2 command line for the Linux operating system.
To ensure that audit_backlog_limit=8192 is added as a kernel command line
argument to newly installed kernels, add audit_backlog_limit=8192 to the
default Grub2 command line for Linux operating systems. Modify the line within
/etc/default/grub as shown below:
GRUB_CMDLINE_LINUX="... audit_backlog_limit=8192 ..."Run the following command to update command line for already installed kernels: # grubby --update-kernel=ALL --args="audit_backlog_limit=8192" |
| Rationale | audit_backlog_limit sets the queue length for audit events awaiting transfer
to the audit daemon. Until the audit daemon is up and running, all log messages
are stored in this queue. If the queue is overrun during boot process, the action
defined by audit failure flag is taken. |
Set the Boot Loader Admin Username to a Non-Default Value
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_admin_username |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | high |
| Identifiers and References | References: BP28(R17), 1, 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3, FIA_UAU.1, SRG-OS-000080-GPOS-00048, OL08-00-010149, SV-248539r818605_rule |
| Description | The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
To maximize the protection, select a password-protected superuser account with unique name, and modify the /etc/grub.d/01_users configuration file to reflect the account name change.
Do not to use common administrator account names like root, admin, or administrator for the grub2 superuser account. Change the superuser to a different username (The default is 'root'). $ sed -i 's/\(set superusers=\).*/\1"<unique user ID>"/g' /etc/grub.d/01_users Once the superuser account has been added, update the grub.cfg file by running:
grubby --update-kernel=ALL --env=/boot/grub2/grubenv |
| Rationale | Having a non-default grub superuser username makes password-guessing attacks less effective. |
| Warnings | warning
To prevent hard-coded admin usernames, automatic remediation of this control is not available. Remediation
must be automated as a component of machine provisioning, or followed manually as outlined above.
Also, do NOT manually add the superuser account and password to the
grub.cfg file as the grub2-mkconfig command overwrites this file. |
Set Boot Loader Password in grub2
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_password |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | high |
| Identifiers and References | References: BP28(R17), 1, 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3, FIA_UAU.1, SRG-OS-000080-GPOS-00048, OL08-00-010150, SV-248540r779186_rule |
| Description | The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
Since plaintext passwords are a security risk, generate a hash for the password by running the following command: # grub2-setpasswordWhen prompted, enter the password that was selected. |
| Rationale | Password protection on the boot loader configuration ensures
users with physical access cannot trivially alter
important bootloader settings. These include which kernel to use,
and whether to enter single-user mode. |
| Warnings | warning
To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation
must be automated as a component of machine provisioning, or followed manually as outlined above.
Also, do NOT manually add the superuser account and password to the
grub.cfg file as the grub2-mkconfig command overwrites this file. |
Set the UEFI Boot Loader Admin Username to a Non-Default Value
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_uefi_admin_username |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R17), 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), PR.AC-4, PR.AC-6, PR.PT-3, FIA_UAU.1, SRG-OS-000080-GPOS-00048, OL08-00-010141, SV-248538r818603_rule |
| Description | The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
To maximize the protection, select a password-protected superuser account with unique name, and modify the /etc/grub.d/01_users configuration file to reflect the account name change.
It is highly suggested not to use common administrator account names like root, admin, or administrator for the grub2 superuser account. Change the superuser to a different username (The default is 'root'). $ sed -i 's/\(set superusers=\).*/\1"<unique user ID>"/g' /etc/grub.d/01_users Once the superuser account has been added, update the grub.cfg file by running:
grubby --update-kernel=ALL --env=/boot/grub2/grubenv |
| Rationale | Having a non-default grub superuser username makes password-guessing attacks less effective. |
| Warnings | warning
To prevent hard-coded admin usernames, automatic remediation of this control is not available. Remediation
must be automated as a component of machine provisioning, or followed manually as outlined above.
Also, do NOT manually add the superuser account and password to the
grub.cfg file as the grub2-mkconfig command overwrites this file. |
Set the UEFI Boot Loader Password
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_uefi_password |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | high |
| Identifiers and References | References: BP28(R17), 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), PR.AC-4, PR.AC-6, PR.PT-3, FIA_UAU.1, SRG-OS-000080-GPOS-00048, OL08-00-010140, SV-248537r779177_rule |
| Description | The grub2 boot loader should have a superuser account and password
protection enabled to protect boot-time settings.
Since plaintext passwords are a security risk, generate a hash for the password by running the following command: # grub2-setpasswordWhen prompted, enter the password that was selected. |
| Rationale | Password protection on the boot loader configuration ensures
users with physical access cannot trivially alter
important bootloader settings. These include which kernel to use,
and whether to enter single-user mode. |
| Warnings | warning
To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation
must be automated as a component of machine provisioning, or followed manually as outlined above.
Also, do NOT manually add the superuser account and password to the
grub.cfg file as the grub2-mkconfig command overwrites this file. |
System Must Avoid Meltdown and Spectre Exploit Vulnerabilities in Modern Processors
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_mitigation_argument |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000366, CM-6(b), CM-6.1(iv), SRG-OS-000480-GPOS-00227, OL08-00-010424, SV-248593r779345_rule |
| Description | Determine the default kernel:
$ sudo grubby --default-kernel /boot/vmlinuz-5.4.17-2011.1.2.el8uek.x86_64Using the default kernel, verify that Meltdown mitigations are not disabled: $ sudo grubby --info=path-to-default-kernel | grep mitigationThe mitigation must be set to "on". |
| Rationale | Hardware vulnerabilities allow programs to steal data that is currently processed on the
computer. While programs are typically not permitted to read data from other programs, a
malicious program can exploit Meltdown and Spectre to obtain secrets stored in the memory of
other running programs. This might include passwords stored in a password manager or browser;
personal photos, emails, and instant messages; and business-critical documents. |
Enable Kernel Page-Table Isolation (KPTI)
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_pti_argument |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | low |
| Identifiers and References | References: BP28(R8), CCI-000381, SI-16, SRG-OS-000433-GPOS-00193, SRG-OS-000095-GPOS-00049, OL08-00-040004, SV-248826r780044_rule |
| Description | To enable Kernel page-table isolation,
add the argument pti=on to the default
GRUB 2 command line for the Linux operating system.
To ensure that pti=on is added as a kernel command line
argument to newly installed kernels, add pti=on to the
default Grub2 command line for Linux operating systems. Modify the line within
/etc/default/grub as shown below:
GRUB_CMDLINE_LINUX="... pti=on ..."Run the following command to update command line for already installed kernels: # grubby --update-kernel=ALL --args="pti=on" |
| Rationale | Kernel page-table isolation is a kernel feature that mitigates
the Meltdown security vulnerability and hardens the kernel
against attempts to bypass kernel address space layout
randomization (KASLR). |
Disable vsyscalls
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_vsyscall_argument |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-001084, CM-7(a), FPT_ASLR_EXT.1, SRG-OS-000480-GPOS-00227, SRG-OS-000134-GPOS-00068, OL08-00-010422, SV-248591r779339_rule |
| Description | To disable use of virtual syscalls,
add the argument vsyscall=none to the default
GRUB 2 command line for the Linux operating system.
To ensure that vsyscall=none is added as a kernel command line
argument to newly installed kernels, add vsyscall=none to the
default Grub2 command line for Linux operating systems. Modify the line within
/etc/default/grub as shown below:
GRUB_CMDLINE_LINUX="... vsyscall=none ..."Run the following command to update command line for already installed kernels: # grubby --update-kernel=ALL --args="vsyscall=none" |
| Rationale | Virtual Syscalls provide an opportunity of attack for a user who has control
of the return instruction pointer. |
Ensure cron Is Logging To Rsyslog
| Rule ID | xccdf_org.ssgproject.content_rule_rsyslog_cron_logging |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: 1, 14, 15, 16, 3, 5, 6, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-000366, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, 0988, 1405, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.15.2.1, A.15.2.2, CM-6(a), ID.SC-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000480-GPOS-00227, OL08-00-030010, SV-248723r779735_rule |
| Description | Cron logging must be implemented to spot intrusions or trace
cron job status. If cron is not logging to rsyslog, it
can be implemented by adding the following to the RULES section of
/etc/rsyslog.conf:
cron.* /var/log/cron |
| Rationale | Cron logging can be used to trace the successful or unsuccessful execution
of cron jobs. It can also be used to spot intrusions into the use of the cron
facility by unauthorized and malicious users. |
Ensure Rsyslog Authenticates Off-Loaded Audit Records
| Rule ID | xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdriverauthmode |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-001851, AU-4(1), SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224, OL08-00-030720, SV-248817r877390_rule |
| Description | Rsyslogd is a system utility providing support for message logging. Support
for both internet and UNIX domain sockets enables this utility to support both local
and remote logging. Couple this utility with gnutls (which is a secure communications
library implementing the SSL, TLS and DTLS protocols), and you have a method to securely
encrypt and off-load auditing.
When using rsyslogd to off-load logs the remote system must be authenticated. |
| Rationale | The audit records generated by Rsyslog contain valuable information regarding system
configuration, user authentication, and other such information. Audit records should be
protected from unauthorized access. |
Ensure Rsyslog Encrypts Off-Loaded Audit Records
| Rule ID | xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdrivermode |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-001851, AU-4(1), SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224, OL08-00-030710, SV-248816r877390_rule |
| Description | Rsyslogd is a system utility providing support for message logging. Support
for both internet and UNIX domain sockets enables this utility to support both local
and remote logging. Couple this utility with gnutls (which is a secure communications
library implementing the SSL, TLS and DTLS protocols), and you have a method to securely
encrypt and off-load auditing.
When using rsyslogd to off-load logs off a encrpytion system must be used. |
| Rationale | The audit records generated by Rsyslog contain valuable information regarding system
configuration, user authentication, and other such information. Audit records should be
protected from unauthorized access. |
Ensure Rsyslog Encrypts Off-Loaded Audit Records
| Rule ID | xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_defaultnetstreamdriver |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-001851, AU-4(1), SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224, OL08-00-030710, SV-248816r877390_rule |
| Description | Rsyslogd is a system utility providing support for message logging. Support
for both internet and UNIX domain sockets enables this utility to support both local
and remote logging. Couple this utility with gnutls (which is a secure communications
library implementing the SSL, TLS and DTLS protocols), and you have a method to securely
encrypt and off-load auditing.
When using rsyslogd to off-load logs off an encryption system must be used. |
| Rationale | The audit records generated by Rsyslog contain valuable information regarding system
configuration, user authentication, and other such information. Audit records should be
protected from unauthorized access. |
Ensure remote access methods are monitored in Rsyslog
| Rule ID | xccdf_org.ssgproject.content_rule_rsyslog_remote_access_monitoring |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000067, AC-17(1), SRG-OS-000032-GPOS-00013, OL08-00-010070, SV-248530r779156_rule |
| Description | Logging of remote access methods must be implemented to help identify cyber
attacks and ensure ongoing compliance with remote access policies are being
audited and upheld. An examples of a remote access method is the use of the
Remote Desktop Protocol (RDP) from an external, non-organization controlled
network. The /etc/rsyslog.conf or
/etc/rsyslog.d/*.conf file should contain a match for the following
selectors: auth.*, authpriv.*, and daemon.*. If
not, use the following as an example configuration:
auth.*;authpriv.*;daemon.* /var/log/secure |
| Rationale | Logging remote access methods can be used to trace the decrease the risks
associated with remote user access management. It can also be used to spot
cyber attacks and ensure ongoing compliance with organizational policies
surrounding the use of remote access methods. |
Ensure Logs Sent To Remote Host
| Rule ID | xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R7), NT28(R43), NT12(R5), 1, 13, 14, 15, 16, 2, 3, 5, 6, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS05.04, DSS05.07, MEA02.01, CCI-000366, CCI-001348, CCI-000136, CCI-001851, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(6)(ii), 164.308(a)(8), 164.310(d)(2)(iii), 164.312(b), 164.314(a)(2)(i)(C), 164.314(a)(2)(iii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 7.1, SR 7.2, 0988, 1405, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.17.2.1, CIP-003-8 R5.2, CIP-004-6 R3.3, CM-6(a), AU-4(1), AU-9(2), PR.DS-4, PR.PT-1, FAU_GEN.1.1.c, SRG-OS-000479-GPOS-00224, SRG-OS-000480-GPOS-00227, SRG-OS-000342-GPOS-00133, OL08-00-030690, SV-248814r917914_rule |
| Description | To configure rsyslog to send logs to a remote log server,
open /etc/rsyslog.conf and read and understand the last section of the file,
which describes the multiple directives necessary to activate remote
logging.
Along with these other directives, the system can be configured
to forward its logs to a particular log server by
adding or correcting one of the following lines,
substituting logcollector appropriately.
The choice of protocol depends on the environment of the system;
although TCP and RELP provide more reliable message delivery,
they may not be supported in all environments.
To use UDP for log message delivery: *.* @logcollector To use TCP for log message delivery: *.* @@logcollector To use RELP for log message delivery: *.* :omrelp:logcollector There must be a resolvable DNS CNAME or Alias record set to "logcollector" for logs to be sent correctly to the centralized logging utility. |
| Rationale | A log server (loghost) receives syslog messages from one or more
systems. This data can be used as an additional log source in the event a
system is compromised and its local logs are suspect. Forwarding log messages
to a remote loghost also provides system administrators with a centralized
place to view the status of multiple hosts within the enterprise. |
| Warnings | warning
It is important to configure queues in case the client is sending log
messages to a remote server. If queues are not configured,
the system will stop functioning when the connection
to the remote server is not available. Please consult Rsyslog
documentation for more information about configuration of queues. The
example configuration which should go into /etc/rsyslog.conf
can look like the following lines:
$ActionQueueType LinkedList $ActionQueueFileName queuefilename $ActionQueueMaxDiskSpace 1g $ActionQueueSaveOnShutdown on $ActionResumeRetryCount -1 |
Ensure rsyslog-gnutls is installed
| Rule ID | xccdf_org.ssgproject.content_rule_package_rsyslog-gnutls_installed |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R43), CCI-000366, FTP_ITC_EXT.1.1, SRG-OS-000480-GPOS-00227, SRG-OS-000120-GPOS-00061, OL08-00-030680, SV-248813r780005_rule |
| Description | TLS protocol support for rsyslog is installed.
The rsyslog-gnutls package can be installed with the following command:
$ sudo yum install rsyslog-gnutls |
| Rationale | The rsyslog-gnutls package provides Transport Layer Security (TLS) support
for the rsyslog daemon, which enables secure remote logging. |
Ensure rsyslog is Installed
| Rule ID | xccdf_org.ssgproject.content_rule_package_rsyslog_installed |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, CCI-000366, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, FTP_ITC_EXT.1.1, SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, SRG-OS-000480-GPOS-00227, OL08-00-030670, SV-248812r780002_rule |
| Description | Rsyslog is installed by default. The rsyslog package can be installed with the following command: $ sudo yum install rsyslog |
| Rationale | The rsyslog package provides the rsyslog daemon, which provides
system logging services. |
Enable rsyslog Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_rsyslog_enabled |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-001311, CCI-001312, CCI-001557, CCI-001851, CCI-000366, 164.312(a)(2)(ii), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, A.17.2.1, CM-6(a), AU-4(1), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.DS-4, PR.PT-1, SRG-OS-000480-GPOS-00227, OL08-00-010561, SV-248615r779411_rule |
| Description | The rsyslog service provides syslog-style logging by default on Oracle Linux 8.
The rsyslog service can be enabled with the following command:
$ sudo systemctl enable rsyslog.service |
| Rationale | The rsyslog service must be running in order to provide
logging services, which are essential to system administration. |
Install firewalld Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_firewalld_installed |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-002314, CM-6(a), FMT_SMF_EXT.1, SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115, SRG-OS-000298-GPOS-00116, SRG-OS-000480-GPOS-00227, SRG-OS-000480-GPOS-00232, OL08-00-040100, SV-248840r853847_rule |
| Description | The firewalld package can be installed with the following command:
$ sudo yum install firewalld |
| Rationale | "Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols.
Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best.
Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
Oracle Linux 8 functionality (e.g., SSH) must be capable of taking enforcement action if the audit reveals unauthorized activity.
Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets)." |
Verify firewalld Enabled
| Rule ID | xccdf_org.ssgproject.content_rule_service_firewalld_enabled |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.3, 3.4.7, CCI-000366, CCI-000382, CCI-002314, 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CIP-003-8 R4, CIP-003-8 R5, CIP-004-6 R3, AC-4, CM-7(b), CA-3(5), SC-7(21), CM-6(a), PR.IP-1, FMT_SMF_EXT.1, SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115, SRG-OS-000480-GPOS-00227, SRG-OS-000480-GPOS-00231, SRG-OS-000480-GPOS-00232, OL08-00-040101, SV-248841r853848_rule |
| Description |
The firewalld service can be enabled with the following command:
$ sudo systemctl enable firewalld.service |
| Rationale | Access control methods provide the ability to enhance system security posture
by restricting services and known good IP addresses and address ranges. This
prevents connections from unknown hosts and protocols. |
Configure the Firewalld Ports
| Rule ID | xccdf_org.ssgproject.content_rule_configure_firewalld_ports |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000382, CCI-002314, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, 1416, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, AC-4, CM-7(b), CA-3(5), SC-7(21), CM-6(a), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115, OL08-00-040030, SV-248835r780071_rule |
| Description | Configure the firewalld ports to allow approved services to have access to the system.
To configure firewalld to open ports, run the following command:
firewall-cmd --permanent --add-port=port_number/tcpTo configure firewalld to allow access for pre-defined services, run the following
command:
firewall-cmd --permanent --add-service=service_name |
| Rationale | In order to prevent unauthorized connection of devices, unauthorized transfer of information,
or unauthorized tunneling (i.e., embedding of data types within data types), organizations must
disable or restrict unused or unnecessary physical and logical ports/protocols on information
systems.
Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by one component. To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business. |
Firewalld Must Employ a Deny-all, Allow-by-exception Policy for Allowing Connections to Other Systems
| Rule ID | xccdf_org.ssgproject.content_rule_configured_firewalld_default_deny |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-002314, AC-17 (1), SRG-OS-000297-GPOS-00115, OL08-00-040090, SV-248839r853846_rule |
| Description | Oracle Linux 8 incorporates the "firewalld" daemon, which allows for many different configurations. One of these configurations is zones.
Zones can be utilized to a deny-all, allow-by-exception approach.
The default "drop" zone will drop all incoming network packets unless it is explicitly allowed by the configuration file or is related to an outgoing network connection. |
| Rationale | Failure to restrict network connectivity only to authorized systems permits inbound connections from malicious systems.
It also permits outbound connections that may facilitate exfiltration of data. |
Configure Firewalld to Use the Nftables Backend
| Rule ID | xccdf_org.ssgproject.content_rule_firewalld-backend |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-002385, SC-5, SRG-OS-000420-GPOS-00186, OL08-00-040150, SV-248865r902788_rule |
| Description | Firewalld can be configured with many backends, such as nftables. |
| Rationale | Nftables is modern kernel module for controling network connections coming into a system.
Utilizing the limit statement in "nftables" can help to mitigate DoS attacks. |
Configure Accepting Router Advertisements on All IPv6 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.20, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, OL08-00-040261, SV-248884r858671_rule |
| Description | To set the runtime status of the net.ipv6.conf.all.accept_ra kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_ra=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_ra = 0 |
| Rationale | An illicit router advertisement message could result in a man-in-the-middle attack. |
Disable Accepting ICMP Redirects for All IPv6 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R22), 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.20, CCI-000366, CCI-001551, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), CM-6(b), CM-6.1(iv), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, OL08-00-040280, SV-248888r858679_rule |
| Description | To set the runtime status of the net.ipv6.conf.all.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_redirects = 0 |
| Rationale | An illicit ICMP redirect message could result in a man-in-the-middle attack. |
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R22), 1, 12, 13, 14, 15, 16, 18, 4, 6, 8, 9, APO01.06, APO13.01, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), DE.AE-1, ID.AM-3, PR.AC-5, PR.DS-5, PR.PT-4, SRG-OS-000480-GPOS-00227, OL08-00-040240, SV-248880r858661_rule |
| Description | To set the runtime status of the net.ipv6.conf.all.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.accept_source_route = 0 |
| Rationale | Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router, which can
be used to bypass network security measures. This requirement applies only to the
forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and
the system is functioning as a router.
Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required. |
Disable Kernel Parameter for IPv6 Forwarding
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), CM-6(b), CM-6.1(iv), DE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, OL08-00-040260, SV-248883r858669_rule |
| Description | To set the runtime status of the net.ipv6.conf.all.forwarding kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.all.forwarding=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.all.forwarding = 0 |
| Rationale | IP forwarding permits the kernel to forward packets from one network
interface to another. The ability to forward packets between two networks is
only appropriate for systems acting as routers. |
Disable Accepting Router Advertisements on all IPv6 Interfaces by Default
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.20, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, OL08-00-040262, SV-248885r858673_rule |
| Description | To set the runtime status of the net.ipv6.conf.default.accept_ra kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_ra=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_ra = 0 |
| Rationale | An illicit router advertisement message could result in a man-in-the-middle attack. |
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R22), 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.20, CCI-000366, CCI-001551, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, OL08-00-040210, SV-248876r858653_rule |
| Description | To set the runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_redirects = 0 |
| Rationale | An illicit ICMP redirect message could result in a man-in-the-middle attack. |
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R22), 1, 12, 13, 14, 15, 16, 18, 4, 6, 8, 9, APO01.06, APO13.01, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), CM-6(b), CM-6.1(iv), DE.AE-1, ID.AM-3, PR.AC-5, PR.DS-5, PR.PT-4, Req-1.4.3, SRG-OS-000480-GPOS-00227, OL08-00-040250, SV-248882r858665_rule |
| Description | To set the runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv6.conf.default.accept_source_route = 0 |
| Rationale | Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router, which can
be used to bypass network security measures. This requirement applies only to the
forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and
the system is functioning as a router.
Accepting source-routed packets in the IPv6 protocol has few legitimate
uses. It should be disabled unless it is absolutely required. |
Disable Accepting ICMP Redirects for All IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R22), 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, 5.10.1.1, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06, 3.1.20, CCI-000366, CCI-001503, CCI-001551, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, OL08-00-040279, SV-248887r858677_rule |
| Description | To set the runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.accept_redirects = 0 |
| Rationale | ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages modify the
host's route table and are unauthenticated. An illicit ICMP redirect
message could result in a man-in-the-middle attack.
This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required." |
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R22), 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, OL08-00-040239, SV-248879r858659_rule |
| Description | To set the runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.accept_source_route = 0 |
| Rationale | Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router,
which can be used to bypass network security measures. This requirement
applies only to the forwarding of source-routerd traffic, such as when IPv4
forwarding is enabled and the system is functioning as a router.
Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required. |
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R22), 1, 12, 13, 14, 15, 16, 18, 2, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, CCI-000366, CCI-001551, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.PT-4, Req-1.4.3, SRG-OS-000480-GPOS-00227, OL08-00-040285, SV-248893r858689_rule |
| Description | To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.rp_filter=1To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.rp_filter = 1 |
| Rationale | Enabling reverse path filtering drops packets with source addresses
that should not have been able to be received on the interface they were
received on. It should not be used on systems which are routers for
complicated networks, but is helpful for end hosts and routers serving small
networks. |
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R22), 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, CCI-001551, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, Req-1.4.3, SRG-OS-000480-GPOS-00227, OL08-00-040209, SV-248875r858651_rule |
| Description | To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.accept_redirects = 0 |
| Rationale | ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages modify the
host's route table and are unauthenticated. An illicit ICMP redirect
message could result in a man-in-the-middle attack.
This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required. |
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R22), 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, CCI-001551, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, OL08-00-040249, SV-248881r858663_rule |
| Description | To set the runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.accept_source_route = 0 |
| Rationale | Source-routed packets allow the source of the packet to suggest routers
forward the packet along a different path than configured on the router,
which can be used to bypass network security measures.
Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required, such as when IPv4 forwarding is enabled and the system is legitimately functioning as a router. |
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, Req-1.4.3, SRG-OS-000480-GPOS-00227, OL08-00-040230, SV-248878r858657_rule |
| Description | To set the runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.icmp_echo_ignore_broadcasts = 1 |
| Rationale | Responding to broadcast (ICMP) echoes facilitates network mapping
and provides a vector for amplification attacks.
Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network. |
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R22), 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, 1.4.2, SRG-OS-000480-GPOS-00227, OL08-00-040220, SV-248877r858655_rule |
| Description | To set the runtime status of the net.ipv4.conf.all.send_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.all.send_redirects=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.all.send_redirects = 0 |
| Rationale | ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages contain information
from the system's route table possibly revealing portions of the network topology.
The ability to send ICMP redirects is only appropriate for systems acting as routers. |
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R22), 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, OL08-00-040270, SV-248886r858675_rule |
| Description | To set the runtime status of the net.ipv4.conf.default.send_redirects kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.conf.default.send_redirects=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.conf.default.send_redirects = 0 |
| Rationale | ICMP redirect messages are used by routers to inform hosts that a more
direct route exists for a particular destination. These messages contain information
from the system's route table possibly revealing portions of the network topology.
The ability to send ICMP redirects is only appropriate for systems acting as routers. |
Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R22), 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06, 3.1.20, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a), DE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3, PR.PT-4, Req-1.3.1, Req-1.3.2, 1.4.2, SRG-OS-000480-GPOS-00227, OL08-00-040259, SV-252662r858667_rule |
| Description | To set the runtime status of the net.ipv4.ip_forward kernel parameter, run the following command: $ sudo sysctl -w net.ipv4.ip_forward=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.ipv4.ip_forward = 0 |
| Rationale | Routing protocol daemons are typically used on routers to exchange
network topology information with other routers. If this capability is used when
not required, system network information may be unnecessarily transmitted across
the network. |
| Warnings | warning
Certain technologies such as virtual machines, containers, etc. rely on IPv4 forwarding to enable and use networking.
Disabling IPv4 forwarding would cause those technologies to stop working. Therefore, this rule should not be used in
profiles or benchmarks that target usage of IPv4 forwarding. |
Disable ATM Support
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000381, CCI-000366, AC-18, FMT_SMF_EXT.1, SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227, OL08-00-040021, SV-248829r780053_rule |
| Description | The Asynchronous Transfer Mode (ATM) is a protocol operating on
network, data link, and physical layers, based on virtual circuits
and virtual paths.
To configure the system to prevent the atm
kernel module from being loaded, add the following line to the file /etc/modprobe.d/atm.conf:
install atm /bin/trueTo configure the system to prevent the atm from being used,
add the following line to file /etc/modprobe.d/atm.conf:
blacklist atm |
| Rationale | Disabling ATM protects the system against exploitation of any
flaws in its implementation. |
Disable CAN Support
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_can_disabled |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000381, CCI-000366, AC-18, FMT_SMF_EXT.1, SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227, OL08-00-040022, SV-248830r780056_rule |
| Description | The Controller Area Network (CAN) is a serial communications
protocol which was initially developed for automotive and
is now also used in marine, industrial, and medical applications.
To configure the system to prevent the can
kernel module from being loaded, add the following line to the file /etc/modprobe.d/can.conf:
install can /bin/trueTo configure the system to prevent the can from being used,
add the following line to file /etc/modprobe.d/can.conf:
blacklist can |
| Rationale | Disabling CAN protects the system against exploitation of any
flaws in its implementation. |
Disable IEEE 1394 (FireWire) Support
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | low |
| Identifiers and References | References: CCI-000381, AC-18, FMT_SMF_EXT.1, SRG-OS-000095-GPOS-00049, OL08-00-040026, SV-248834r780068_rule |
| Description | The IEEE 1394 (FireWire) is a serial bus standard for
high-speed real-time communication.
To configure the system to prevent the firewire-core
kernel module from being loaded, add the following line to the file /etc/modprobe.d/firewire-core.conf:
install firewire-core /bin/trueTo configure the system to prevent the firewire-core from being used,
add the following line to file /etc/modprobe.d/firewire-core.conf:
blacklist firewire-core |
| Rationale | Disabling FireWire protects the system against exploitation of any
flaws in its implementation. |
Disable SCTP Support
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: 11, 14, 3, 9, 5.10.1, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.4.6, CCI-000381, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, Req-1.4.2, 1.4.2, SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227, OL08-00-040023, SV-248831r780059_rule |
| Description | The Stream Control Transmission Protocol (SCTP) is a
transport layer protocol, designed to support the idea of
message-oriented communication, with several streams of messages
within one connection.
To configure the system to prevent the sctp
kernel module from being loaded, add the following line to the file /etc/modprobe.d/sctp.conf:
install sctp /bin/trueTo configure the system to prevent the sctp from being used,
add the following line to file /etc/modprobe.d/sctp.conf:
blacklist sctp |
| Rationale | Disabling SCTP protects
the system against exploitation of any flaws in its implementation. |
Disable TIPC Support
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | low |
| Identifiers and References | References: 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, CCI-000381, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, FMT_SMF_EXT.1, SRG-OS-000095-GPOS-00049, OL08-00-040024, SV-248832r818694_rule |
| Description | The Transparent Inter-Process Communication (TIPC) protocol
is designed to provide communications between nodes in a
cluster.
To configure the system to prevent the tipc
kernel module from being loaded, add the following line to the file /etc/modprobe.d/tipc.conf:
install tipc /bin/trueTo configure the system to prevent the tipc from being used,
add the following line to file /etc/modprobe.d/tipc.conf:
blacklist tipc |
| Rationale | Disabling TIPC protects
the system against exploitation of any flaws in its implementation. |
| Warnings | warning
This configuration baseline was created to deploy the base operating system for general purpose
workloads. When the operating system is configured for certain purposes, such as
a node in High Performance Computing cluster, it is expected that
the tipc kernel module will be loaded. |
Disable Bluetooth Kernel Module
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: 11, 12, 14, 15, 3, 8, 9, 5.13.1.3, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, 3.1.16, CCI-000085, CCI-001443, CCI-001444, CCI-001551, CCI-002418, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, AC-18(a), AC-18(3), CM-7(a), CM-7(b), CM-6(a), MP-7, PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000095-GPOS-00049, SRG-OS-000300-GPOS-00118, OL08-00-040111, SV-248843r860921_rule |
| Description | The kernel's module loading system can be configured to prevent
loading of the Bluetooth module. Add the following to
the appropriate /etc/modprobe.d configuration file
to prevent the loading of the Bluetooth module:
install bluetooth /bin/true |
| Rationale | If Bluetooth functionality must be disabled, preventing the kernel
from loading the kernel module provides an additional safeguard against its
activation. |
Deactivate Wireless Network Interfaces
| Rule ID | xccdf_org.ssgproject.content_rule_wireless_disable_interfaces |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-wireless_disable_interfaces:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, 3.1.16, CCI-000085, CCI-002418, CCI-002421, CCI-001443, CCI-001444, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, 1315, 1319, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, AC-18(a), AC-18(3), CM-7(a), CM-7(b), CM-6(a), MP-7, PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, Req-1.3.3, 1.4.3, SRG-OS-000299-GPOS-00117, SRG-OS-000300-GPOS-00118, SRG-OS-000424-GPOS-00188, SRG-OS-000481-GPOS-000481, OL08-00-040110, SV-248842r853849_rule |
| Description | Deactivating wireless network interfaces should prevent normal usage of the wireless
capability.
Configure the system to disable all wireless network interfaces with the following command: $ sudo nmcli radio all off |
| Rationale | The use of wireless networking can introduce many different attack vectors into
the organization's network. Common attack vectors such as malicious association
and ad hoc networks will allow an attacker to spoof a wireless access point
(AP), allowing validated systems to connect to the malicious AP and enabling the
attacker to monitor and record network traffic. These malicious APs can also
serve to create a man-in-the-middle attack or be used to create a denial of
service to valid network resources. |
check if UP flag is present on wifi interfaces oval:ssg-test_wireless_disable_interfaces:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_active_wifi_interfaces:obj:1 of type interface_object
| Name |
|---|
| ^wl.*$ |
Configure Multiple DNS Servers in /etc/resolv.conf
| Rule ID | xccdf_org.ssgproject.content_rule_network_configure_name_resolution |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-network_configure_name_resolution:def:1 |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, SC-20(a), CM-6(a), PR.PT-4, SRG-OS-000480-GPOS-00227, OL08-00-010680, SV-248634r779468_rule |
| Description |
Determine whether the system is using local or DNS name resolution with the
following command:
$ sudo grep hosts /etc/nsswitch.conf hosts: files dnsIf the DNS entry is missing from the host's line in the "/etc/nsswitch.conf" file, the "/etc/resolv.conf" file must be empty. Verify the "/etc/resolv.conf" file is empty with the following command: $ sudo ls -al /etc/resolv.conf -rw-r--r-- 1 root root 0 Aug 19 08:31 resolv.confIf the DNS entry is found on the host's line of the "/etc/nsswitch.conf" file, then verify the following: Multiple Domain Name System (DNS) Servers should be configured in /etc/resolv.conf. This provides redundant name resolution services
in the event that a domain server crashes. To configure the system to contain
as least 2 DNS servers, add a corresponding nameserver
ip_address entry in /etc/resolv.conf for each DNS
server where ip_address is the IP address of a valid DNS server.
For example:
search example.com nameserver 192.168.0.1 nameserver 192.168.0.2 |
| Rationale | To provide availability for name resolution services, multiple redundant
name servers are mandated. A failure in name resolution could lead to the
failure of security functions requiring name resolution, which may include
time synchronization, centralized authentication, and remote system logging. |
check if dns is set in host line in /etc/nsswitch.conf oval:ssg-test_host_line_dns_parameter_nsswitch:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/nsswitch.conf | hosts: files dns myhostname |
check if more than one nameserver in /etc/resolv.conf oval:ssg-test_network_configure_name_resolution:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_network_configure_name_resolution:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/resolv.conf | ^[\s]*nameserver[\s]+([0-9\.]+)$ | 1 |
check if dns is set in host line in /etc/nsswitch.conf oval:ssg-test_host_line_dns_parameter_nsswitch:tst:1 true
Following items have been found on the system:
| Path | Content |
|---|---|
| /etc/nsswitch.conf | hosts: files dns myhostname |
check if /etc/resolv.conf is empty oval:ssg-test_file_empty_resolv:tst:1 false
Following items have been found on the system:
| Path | Type | UID | GID | Size (B) | Permissions |
|---|---|---|---|---|---|
| /etc/resolv.conf | regular | 0 | 0 | 788 | rw-r--r-- |
Ensure System is Not Acting as a Network Sniffer
| Rule ID | xccdf_org.ssgproject.content_rule_network_sniffer_disabled |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:53+00:00 |
| Severity | medium |
| Identifiers and References | References: 1, 11, 14, 3, 9, APO11.06, APO12.06, BAI03.10, BAI09.01, BAI09.02, BAI09.03, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.05, DSS04.05, DSS05.02, DSS05.05, DSS06.06, CCI-000366, 4.2.3.4, 4.3.3.3.7, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, SR 7.8, A.11.1.2, A.11.2.4, A.11.2.5, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.16.1.6, A.8.1.1, A.8.1.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), CM-7(2), MA-3, DE.DP-5, ID.AM-1, PR.IP-1, PR.MA-1, PR.PT-3, SRG-OS-000480-GPOS-00227, OL08-00-040330, SV-248899r780263_rule |
| Description | The system should not be acting as a network sniffer, which can
capture all traffic on the network to which it is connected. Run the following
to determine if any interface is running in promiscuous mode:
$ ip link | grep PROMISCPromiscuous mode of an interface can be disabled with the following command: $ sudo ip link set dev |
| Rationale | Network interfaces in promiscuous mode allow for the capture of all network traffic
visible to the system. If unauthorized individuals can access these applications, it
may allow them to collect information such as logon IDs, passwords, and key exchanges
between systems.
If the system is being used to perform a network troubleshooting function, the use of these tools must be documented with the Information Systems Security Manager (ISSM) and restricted to only authorized personnel. |
Verify Group Who Owns /var/log Directory
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupowner_var_log |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupowner_var_log:def:1 |
| Time | 2023-12-18T23:47:55+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-001314, SRG-OS-000206-GPOS-00084, SRG-APP-000118-CTR-000240, OL08-00-010260, SV-248559r779243_rule |
| Description | To properly set the group owner of /var/log, run the command: $ sudo chgrp root /var/log |
| Rationale | The /var/log directory contains files with logs of error
messages in the system and should only be accessed by authorized
personnel. |
Testing group ownership of /var/log/ oval:ssg-test_file_groupowner_var_log_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_var_log_0:obj:1 of type file_object
| Path | Filename | Filter | Filter |
|---|---|---|---|
| /var/log | no value | oval:ssg-symlink_file_groupowner_var_log_uid_0:ste:1 | oval:ssg-state_file_groupowner_var_log_gid_0_0:ste:1 |
Verify User Who Owns /var/log Directory
| Rule ID | xccdf_org.ssgproject.content_rule_file_owner_var_log |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_owner_var_log:def:1 |
| Time | 2023-12-18T23:47:55+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-001314, SRG-OS-000206-GPOS-00084, SRG-APP-000118-CTR-000240, OL08-00-010250, SV-248558r779240_rule |
| Description | To properly set the owner of /var/log, run the command: $ sudo chown root /var/log |
| Rationale | The /var/log directory contains files with logs of error
messages in the system and should only be accessed by authorized
personnel. |
Testing user ownership of /var/log/ oval:ssg-test_file_owner_var_log_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_var_log_0:obj:1 of type file_object
| Path | Filename | Filter | Filter |
|---|---|---|---|
| /var/log | no value | oval:ssg-symlink_file_owner_var_log_uid_0:ste:1 | oval:ssg-state_file_owner_var_log_uid_0_0:ste:1 |
Verify that Shared Library Directories Have Root Group Ownership
| Rule ID | xccdf_org.ssgproject.content_rule_dir_group_ownership_library_dirs |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-dir_group_ownership_library_dirs:def:1 |
| Time | 2023-12-18T23:47:55+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-001499, CM-5(6), CM-5(6).1, SRG-OS-000259-GPOS-00100, OL08-00-010351, SV-252653r818755_rule |
| Description | System-wide shared library files, which are linked to executables
during process load time or run time, are stored in the following directories
by default:
/lib /lib64 /usr/lib /usr/lib64Kernel modules, which can be added to the kernel during runtime, are also stored in /lib/modules. All files in these directories should be
group-owned by the root user. If the directories, is found to be owned
by a user other than root correct its
ownership with the following command:
$ sudo chgrp root DIR |
| Rationale | Files from shared library directories are loaded into the address
space of processes (including privileged ones) or of the kernel itself at
runtime. Proper ownership of library directories is necessary to protect
the integrity of the system. |
Testing group ownership of /lib/ oval:ssg-test_file_groupownerdir_group_ownership_library_dirs_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownerdir_group_ownership_library_dirs_0:obj:1 of type file_object
| Behaviors | Path | Filename | Filter | Filter |
|---|---|---|---|---|
| no value | /lib | no value | oval:ssg-symlink_file_groupownerdir_group_ownership_library_dirs_uid_0:ste:1 | oval:ssg-state_file_groupownerdir_group_ownership_library_dirs_gid_0_0:ste:1 |
Testing group ownership of /lib64/ oval:ssg-test_file_groupownerdir_group_ownership_library_dirs_1:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownerdir_group_ownership_library_dirs_1:obj:1 of type file_object
| Behaviors | Path | Filename | Filter | Filter |
|---|---|---|---|---|
| no value | /lib64 | no value | oval:ssg-symlink_file_groupownerdir_group_ownership_library_dirs_uid_0:ste:1 | oval:ssg-state_file_groupownerdir_group_ownership_library_dirs_gid_0_1:ste:1 |
Testing group ownership of /usr/lib/ oval:ssg-test_file_groupownerdir_group_ownership_library_dirs_2:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownerdir_group_ownership_library_dirs_2:obj:1 of type file_object
| Behaviors | Path | Filename | Filter | Filter |
|---|---|---|---|---|
| no value | /usr/lib | no value | oval:ssg-symlink_file_groupownerdir_group_ownership_library_dirs_uid_0:ste:1 | oval:ssg-state_file_groupownerdir_group_ownership_library_dirs_gid_0_2:ste:1 |
Testing group ownership of /usr/lib64/ oval:ssg-test_file_groupownerdir_group_ownership_library_dirs_3:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupownerdir_group_ownership_library_dirs_3:obj:1 of type file_object
| Behaviors | Path | Filename | Filter | Filter |
|---|---|---|---|---|
| no value | /usr/lib64 | no value | oval:ssg-symlink_file_groupownerdir_group_ownership_library_dirs_uid_0:ste:1 | oval:ssg-state_file_groupownerdir_group_ownership_library_dirs_gid_0_3:ste:1 |
Verify that Shared Library Directories Have Root Ownership
| Rule ID | xccdf_org.ssgproject.content_rule_dir_ownership_library_dirs |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-dir_ownership_library_dirs:def:1 |
| Time | 2023-12-18T23:47:55+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-001499, CM-5(6), CM-5(6).1, SRG-OS-000259-GPOS-00100, OL08-00-010341, SV-252652r818752_rule |
| Description | System-wide shared library files, which are linked to executables
during process load time or run time, are stored in the following directories
by default:
/lib /lib64 /usr/lib /usr/lib64Kernel modules, which can be added to the kernel during runtime, are also stored in /lib/modules. All files in these directories should be
owned by the root user. If the directories, is found to be owned
by a user other than root correct its
ownership with the following command:
$ sudo chown root DIR |
| Rationale | Files from shared library directories are loaded into the address
space of processes (including privileged ones) or of the kernel itself at
runtime. Proper ownership of library directories is necessary to protect
the integrity of the system. |
Testing user ownership of /lib/ oval:ssg-test_file_ownerdir_ownership_library_dirs_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownerdir_ownership_library_dirs_0:obj:1 of type file_object
| Behaviors | Path | Filename | Filter | Filter |
|---|---|---|---|---|
| no value | /lib | no value | oval:ssg-symlink_file_ownerdir_ownership_library_dirs_uid_0:ste:1 | oval:ssg-state_file_ownerdir_ownership_library_dirs_uid_0_0:ste:1 |
Testing user ownership of /lib64/ oval:ssg-test_file_ownerdir_ownership_library_dirs_1:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownerdir_ownership_library_dirs_1:obj:1 of type file_object
| Behaviors | Path | Filename | Filter | Filter |
|---|---|---|---|---|
| no value | /lib64 | no value | oval:ssg-symlink_file_ownerdir_ownership_library_dirs_uid_0:ste:1 | oval:ssg-state_file_ownerdir_ownership_library_dirs_uid_0_1:ste:1 |
Testing user ownership of /usr/lib/ oval:ssg-test_file_ownerdir_ownership_library_dirs_2:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownerdir_ownership_library_dirs_2:obj:1 of type file_object
| Behaviors | Path | Filename | Filter | Filter |
|---|---|---|---|---|
| no value | /usr/lib | no value | oval:ssg-symlink_file_ownerdir_ownership_library_dirs_uid_0:ste:1 | oval:ssg-state_file_ownerdir_ownership_library_dirs_uid_0_2:ste:1 |
Testing user ownership of /usr/lib64/ oval:ssg-test_file_ownerdir_ownership_library_dirs_3:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownerdir_ownership_library_dirs_3:obj:1 of type file_object
| Behaviors | Path | Filename | Filter | Filter |
|---|---|---|---|---|
| no value | /usr/lib64 | no value | oval:ssg-symlink_file_ownerdir_ownership_library_dirs_uid_0:ste:1 | oval:ssg-state_file_ownerdir_ownership_library_dirs_uid_0_3:ste:1 |
Verify that system commands files are group owned by root or a system account
| Rule ID | xccdf_org.ssgproject.content_rule_file_groupownership_system_commands_dirs |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_groupownership_system_commands_dirs:def:1 |
| Time | 2023-12-18T23:47:55+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-001499, CM-5(6), CM-5(6).1, SRG-OS-000259-GPOS-00100, OL08-00-010320, SV-248569r818625_rule |
| Description | System commands files are stored in the following directories by default:
/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbinAll files in these directories should be owned by the root group,
or a system account.
If the directory, or any file in these directories, is found to be owned
by a group other than root or a a system account correct its ownership
with the following command:
$ sudo chgrp root FILE |
| Rationale | If the operating system allows any user to make changes to software
libraries, then those changes might be implemented without undergoing the
appropriate testing and approvals that are part of a robust change management
process.
This requirement applies to operating systems with software libraries
that are accessible and configurable, as in the case of interpreted languages.
Software libraries also include privileged programs which execute with
escalated privileges. Only qualified and authorized individuals must be
allowed to obtain access to information system components for purposes
of initiating changes, including upgrades and modifications. |
system commands are owned by root or a system account oval:ssg-test_groupownership_system_commands_dirs:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_groupownership_system_commands_dirs:obj:1 of type file_object
| Path | Filename | Filter |
|---|---|---|
| ^\/s?bin|^\/usr\/s?bin|^\/usr\/local\/s?bin | ^.*$ | oval:ssg-state_groupowner_system_commands_dirs_not_root_or_system_account:ste:1 |
Verify that System Executables Have Root Ownership
| Rule ID | xccdf_org.ssgproject.content_rule_file_ownership_binary_dirs |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_ownership_binary_dirs:def:1 |
| Time | 2023-12-18T23:47:55+00:00 |
| Severity | medium |
| Identifiers and References | References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-001499, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-5(6), CM-5(6).1, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000259-GPOS-00100, OL08-00-010310, SV-248568r779270_rule |
| Description | System executables are stored in the following directories by default:
/bin /sbin /usr/bin /usr/libexec /usr/local/bin /usr/local/sbin /usr/sbinAll files in these directories should be owned by the root user.
If any file FILE in these directories is found
to be owned by a user other than root, correct its ownership with the
following command:
$ sudo chown root FILE |
| Rationale | System binaries are executed by privileged users as well as system services,
and restrictive permissions are necessary to ensure that their
execution of these programs cannot be co-opted. |
binary directories uid root oval:ssg-test_ownership_binary_directories:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownership_binary_directories:obj:1 of type file_object
| Path | Filename | Filter |
|---|---|---|
| ^\/(|s)bin|^\/usr\/(|local\/)(|s)bin|^\/usr\/libexec | no value | oval:ssg-state_owner_binaries_not_root:ste:1 |
binary files uid root oval:ssg-test_ownership_binary_files:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownership_binary_files:obj:1 of type file_object
| Path | Filename | Filter |
|---|---|---|
| ^\/(|s)bin|^\/usr\/(|local\/)(|s)bin|^\/usr\/libexec | ^.*$ | oval:ssg-state_owner_binaries_not_root:ste:1 |
Verify that Shared Library Files Have Root Ownership
| Rule ID | xccdf_org.ssgproject.content_rule_file_ownership_library_dirs |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-file_ownership_library_dirs:def:1 |
| Time | 2023-12-18T23:47:56+00:00 |
| Severity | medium |
| Identifiers and References | References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-001499, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-5(6), CM-5(6).1, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000259-GPOS-00100, OL08-00-010340, SV-248571r779279_rule |
| Description | System-wide shared library files, which are linked to executables
during process load time or run time, are stored in the following directories
by default:
/lib /lib64 /usr/lib /usr/lib64Kernel modules, which can be added to the kernel during runtime, are also stored in /lib/modules. All files in these directories should be
owned by the root user. If the directory, or any file in these
directories, is found to be owned by a user other than root correct its
ownership with the following command:
$ sudo chown root FILE |
| Rationale | Files from shared library directories are loaded into the address
space of processes (including privileged ones) or of the kernel itself at
runtime. Proper ownership is necessary to protect the integrity of the system. |
Testing user ownership of /lib/ oval:ssg-test_file_ownership_library_dirs_0:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownership_library_dirs_0:obj:1 of type file_object
| Behaviors | Path | Filename | Filter | Filter |
|---|---|---|---|---|
| no value | /lib | ^.*$ | oval:ssg-symlink_file_ownership_library_dirs_uid_0:ste:1 | oval:ssg-state_file_ownership_library_dirs_uid_0_0:ste:1 |
Testing user ownership of /lib64/ oval:ssg-test_file_ownership_library_dirs_1:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownership_library_dirs_1:obj:1 of type file_object
| Behaviors | Path | Filename | Filter | Filter |
|---|---|---|---|---|
| no value | /lib64 | ^.*$ | oval:ssg-symlink_file_ownership_library_dirs_uid_0:ste:1 | oval:ssg-state_file_ownership_library_dirs_uid_0_1:ste:1 |
Testing user ownership of /usr/lib/ oval:ssg-test_file_ownership_library_dirs_2:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownership_library_dirs_2:obj:1 of type file_object
| Behaviors | Path | Filename | Filter | Filter |
|---|---|---|---|---|
| no value | /usr/lib | ^.*$ | oval:ssg-symlink_file_ownership_library_dirs_uid_0:ste:1 | oval:ssg-state_file_ownership_library_dirs_uid_0_2:ste:1 |
Testing user ownership of /usr/lib64/ oval:ssg-test_file_ownership_library_dirs_3:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_file_ownership_library_dirs_3:obj:1 of type file_object
| Behaviors | Path | Filename | Filter | Filter |
|---|---|---|---|---|
| no value | /usr/lib64 | ^.*$ | oval:ssg-symlink_file_ownership_library_dirs_uid_0:ste:1 | oval:ssg-state_file_ownership_library_dirs_uid_0_3:ste:1 |
Verify that All World-Writable Directories Have Sticky Bits Set
| Rule ID | xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-dir_perms_world_writable_sticky_bits:def:1 |
| Time | 2023-12-18T23:47:54+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R40), 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-001090, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000138-GPOS-00069, OL08-00-010190, SV-248551r779219_rule |
| Description | When the so-called 'sticky bit' is set on a directory,
only the owner of a given file may remove that file from the
directory. Without the sticky bit, any user with write access to a
directory may remove any file in the directory. Setting the sticky
bit prevents users from removing each other's files. In cases where
there is no reason for a directory to be world-writable, a better
solution is to remove that permission rather than to set the sticky
bit. However, if a directory is used by a particular application,
consult that application's documentation instead of blindly
changing modes.
To set the sticky bit on a world-writable directory DIR, run the following command: $ sudo chmod +t DIR |
| Rationale | Failing to set the sticky bit on public directories allows unauthorized
users to delete files in the directory structure.
The only authorized public directories are those temporary directories supplied with the system, or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system, by users for temporary file storage (such as /tmp), and
for directories requiring global read/write access. |
all local world-writable directories have sticky bit set oval:ssg-test_dir_perms_world_writable_sticky_bits:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_only_local_directories:obj:1 of type file_object
| Behaviors | Path | Filename | Filter |
|---|---|---|---|
| no value | / | no value | oval:ssg-state_world_writable_and_not_sticky:ste:1 |
Ensure All World-Writable Directories Are Owned by a System Account
| Rule ID | xccdf_org.ssgproject.content_rule_dir_perms_world_writable_system_owned |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-dir_perms_world_writable_system_owned:def:1 |
| Time | 2023-12-18T23:47:54+00:00 |
| Severity | medium |
| Identifiers and References | References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-000366, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, OL08-00-010700, SV-248636r779474_rule |
| Description | All directories in local partitions which are
world-writable should be owned by root or another
system account. If any world-writable directories are not
owned by a system account, this should be investigated.
Following this, the files should be deleted or assigned to an
appropriate owner. |
| Rationale | Allowing a user account to own a world-writable directory is
undesirable because it allows the owner of that directory to remove
or replace any files that may be placed in the directory by other
users. |
check for local directories that are world writable and have uid greater than or equal to 1000 oval:ssg-test_dir_world_writable_uid_gt_value:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-all_local_directories_uid:obj:1 of type file_object
| Behaviors | Path | Filename | Filter |
|---|---|---|---|
| no value | / | no value | oval:ssg-state_uid_is_user_and_world_writable:ste:1 |
Ensure All World-Writable Directories Are Group Owned by a System Account
| Rule ID | xccdf_org.ssgproject.content_rule_dir_perms_world_writable_system_owned_group |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-dir_perms_world_writable_system_owned_group:def:1 |
| Time | 2023-12-18T23:47:54+00:00 |
| Severity | medium |
| Identifiers and References | References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-000366, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, OL08-00-010710, SV-248637r779477_rule |
| Description | All directories in local partitions which are
world-writable should be group owned by root or another
system account. If any world-writable directories are not
group owned by a system account, this should be investigated.
Following this, the files should be deleted or assigned to an
appropriate group. |
| Rationale | Allowing a user account to group own a world-writable directory is
undesirable because it allows the owner of that directory to remove
or replace any files that may be placed in the directory by other
users. |
check for local directories that are world writable and have gid greater than or equal to 1000 oval:ssg-test_dir_world_writable_gid_gt_value:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-all_local_directories_gid:obj:1 of type file_object
| Behaviors | Path | Filename | Filter |
|---|---|---|---|
| no value | / | no value | oval:ssg-state_gid_is_user_and_world_writable:ste:1 |
Ensure All Files Are Owned by a User
| Rule ID | xccdf_org.ssgproject.content_rule_no_files_unowned_by_user |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:55+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R55), 11, 12, 13, 14, 15, 16, 18, 3, 5, 9, APO01.06, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, CCI-000366, CCI-002165, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.AC-6, PR.DS-5, PR.IP-1, PR.PT-3, 2.2.6, SRG-OS-000480-GPOS-00227, OL08-00-010780, SV-248646r779504_rule |
| Description | If any files are not owned by a user, then the
cause of their lack of ownership should be investigated.
Following this, the files should be deleted or assigned to an
appropriate user. The following command will discover and print
any files on local partitions which do not belong to a valid user:
$ df --local -P | awk {'if (NR!=1) print $6'} | sudo xargs -I '{}' find '{}' -xdev -nouser
To search all filesystems on a system including network mounted
filesystems the following command can be run manually for each partition:
$ sudo find PARTITION -xdev -nouser |
| Rationale | Unowned files do not directly imply a security problem, but they are generally
a sign that something is amiss. They may
be caused by an intruder, by incorrect software installation or
draft software removal, or by failure to remove all files belonging
to a deleted account. The files should be repaired so they
will not cause problems when accounts are created in the future,
and the cause should be discovered and addressed. |
| Warnings | warning
For this rule to evaluate centralized user accounts, getent must be working properly
so that running the command getent passwdreturns a list of all users in your organization. If using the System Security Services Daemon (SSSD), enumerate = truemust be configured in your organization's domain to return a complete list of users warning
Enabling this rule will result in slower scan times depending on the size of your organization
and number of centralized users. |
Enable Kernel Parameter to Enforce DAC on Hardlinks
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:55+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R23), CCI-002165, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000324-GPOS-00125, OL08-00-010374, SV-248578r860912_rule |
| Description | To set the runtime status of the fs.protected_hardlinks kernel parameter, run the following command: $ sudo sysctl -w fs.protected_hardlinks=1To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: fs.protected_hardlinks = 1 |
| Rationale | By enabling this kernel parameter, users can no longer create soft or hard links to
files which they do not own. Disallowing such hardlinks mitigate vulnerabilities
based on insecure file system accessed by privileged programs, avoiding an
exploitation vector exploiting unsafe use of open() or creat(). |
Enable Kernel Parameter to Enforce DAC on Symlinks
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:55+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R23), CCI-002165, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), SRG-OS-000312-GPOS-00122, SRG-OS-000312-GPOS-00123, SRG-OS-000324-GPOS-00125, OL08-00-010373, SV-248577r860911_rule |
| Description | To set the runtime status of the fs.protected_symlinks kernel parameter, run the following command: $ sudo sysctl -w fs.protected_symlinks=1To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: fs.protected_symlinks = 1 |
| Rationale | By enabling this kernel parameter, symbolic links are permitted to be followed
only when outside a sticky world-writable directory, or when the UID of the
link and follower match, or when the directory owner matches the symlink's owner.
Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system
accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of
open() or creat(). |
Disable the Automounter
| Rule ID | xccdf_org.ssgproject.content_rule_service_autofs_disabled |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: 1, 12, 15, 16, 5, APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.4.6, CCI-000366, CCI-000778, CCI-001958, 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.310(d)(1), 164.310(d)(2), 164.312(a)(1), 164.312(a)(2)(iv), 164.312(b), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.6, A.11.2.6, A.13.1.1, A.13.2.1, A.18.1.4, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CM-7(a), CM-7(b), CM-6(a), MP-7, PR.AC-1, PR.AC-3, PR.AC-6, PR.AC-7, SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227, OL08-00-040070, SV-248836r780074_rule |
| Description | The autofs daemon mounts and unmounts filesystems, such as user
home directories shared via NFS, on demand. In addition, autofs can be used to handle
removable media, and the default configuration provides the cdrom device as /misc/cd.
However, this method of providing access to removable media is not common, so autofs
can almost always be disabled if NFS is not in use. Even if NFS is required, it may be
possible to configure filesystem mounts statically by editing /etc/fstab
rather than relying on the automounter.
The autofs service can be disabled with the following command:
$ sudo systemctl mask --now autofs.service |
| Rationale | Disabling the automounter permits the administrator to
statically control filesystem mounting through /etc/fstab.
Additionally, automatically mounting filesystems permits easy introduction of unknown devices, thereby facilitating malicious activity. |
Disable Mounting of cramfs
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | low |
| Identifiers and References | References: 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.4.6, CCI-000381, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000095-GPOS-00049, OL08-00-040025, SV-248833r780065_rule |
| Description |
To configure the system to prevent the cramfs
kernel module from being loaded, add the following line to the file /etc/modprobe.d/cramfs.conf:
install cramfs /bin/trueTo configure the system to prevent the cramfs from being used,
add the following line to file /etc/modprobe.d/cramfs.conf:
blacklist cramfsThis effectively prevents usage of this uncommon filesystem. The cramfs filesystem type is a compressed read-only
Linux filesystem embedded in small footprint systems. A
cramfs image can be used without having to first
decompress the image. |
| Rationale | Removing support for unneeded filesystem types reduces the local attack surface
of the server. |
Disable Modprobe Loading of USB Storage Driver
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: 1, 12, 15, 16, 5, APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.1.21, CCI-000366, CCI-000778, CCI-001958, 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.310(d)(1), 164.310(d)(2), 164.312(a)(1), 164.312(a)(2)(iv), 164.312(b), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.6, A.11.2.6, A.13.1.1, A.13.2.1, A.18.1.4, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CM-7(a), CM-7(b), CM-6(a), MP-7, PR.AC-1, PR.AC-3, PR.AC-6, PR.AC-7, SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227, OL08-00-040080, SV-248837r818697_rule |
| Description | To prevent USB storage devices from being used, configure the kernel module loading system
to prevent automatic loading of the USB storage driver.
To configure the system to prevent the usb-storage
kernel module from being loaded, add the following line to the file /etc/modprobe.d/usb-storage.conf:
install usb-storage /bin/trueTo configure the system to prevent the usb-storage from being used,
add the following line to file /etc/modprobe.d/usb-storage.conf:
blacklist usb-storageThis will prevent the modprobe program from loading the usb-storage
module, but will not prevent an administrator (or another program) from using the
insmod program to load the module manually. |
| Rationale | USB storage devices such as thumb drives can be used to introduce
malicious software. |
Add nosuid Option to /boot/efi
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000366, CM-6(b), CM-6.1(iv), SRG-OS-000480-GPOS-00227, OL08-00-010572, SV-248618r818648_rule |
| Description | The nosuid mount option can be used to prevent
execution of setuid programs in /boot/efi. The SUID and SGID permissions
should not be required on the boot partition.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/boot/efi. |
| Rationale | The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from boot partitions. |
Add nosuid Option to /boot
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R12), CCI-000366, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227, OL08-00-010571, SV-248617r779417_rule |
| Description | The nosuid mount option can be used to prevent
execution of setuid programs in /boot. The SUID and SGID permissions
should not be required on the boot partition.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/boot. |
| Rationale | The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from boot partitions. |
Add nodev Option to /dev/shm
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, OL08-00-040120, SV-248844r853853_rule |
| Description | The nodev mount option can be used to prevent creation of device
files in /dev/shm. Legitimate character and block devices should
not exist within temporary directories like /dev/shm.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
/dev/shm. |
| Rationale | The only legitimate location for device files is the /dev directory
located on the root partition. The only exception to this is chroot jails. |
Add noexec Option to /dev/shm
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, OL08-00-040122, SV-248846r853855_rule |
| Description | The noexec mount option can be used to prevent binaries
from being executed out of /dev/shm.
It can be dangerous to allow the execution of binaries
from world-writable temporary storage directories such as /dev/shm.
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
/dev/shm. |
| Rationale | Allowing users to execute binaries from world-writable directories
such as /dev/shm can expose the system to potential compromise. |
Add nosuid Option to /dev/shm
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, OL08-00-040121, SV-248845r853854_rule |
| Description | The nosuid mount option can be used to prevent execution
of setuid programs in /dev/shm. The SUID and SGID permissions should not
be required in these world-writable directories.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/dev/shm. |
| Rationale | The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from temporary storage partitions. |
Add noexec Option to /home
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_home_noexec |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R12), CCI-000366, CM-6(b), SRG-OS-000480-GPOS-00227, OL08-00-010590, SV-248620r779426_rule |
| Description | The noexec mount option can be used to prevent binaries from being
executed out of /home.
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
/home. |
| Rationale | The /home directory contains data of individual users. Binaries in
this directory should not be considered as trusted and users should not be
able to execute them. |
| Warnings | warning
OVAL looks for partitions whose mount point is a substring of any interactive user's home
directory and validates that noexec option is there. Because of this, there could be false
negatives when several partitions share a base substring. For example, if there is a home
directory in /var/tmp/user1 and there are partitions mounted in /var and
/var/tmp. The noexec option is only expected in /var/tmp, but OVAL will
check both.Bash remediation uses the df command to find out the partition where the home
directory is mounted. However, if the directory doesn't exist the remediation won't be
applied. |
Add nosuid Option to /home
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_home_nosuid |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R28), 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227, OL08-00-010570, SV-248616r779414_rule |
| Description | The nosuid mount option can be used to prevent
execution of setuid programs in /home. The SUID and SGID permissions
should not be required in these user data directories.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/home. |
| Rationale | The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from user home directory partitions. |
| Warnings | warning
OVAL looks for partitions whose mount point is a substring of any interactive user's home
directory and validates that noexec option is there. Because of this, there could be false
negatives when several partitions share a base substring. For example, if there is a home
directory in /var/tmp/user1 and there are partitions mounted in /var and
/var/tmp. The noexec option is only expected in /var/tmp, but OVAL will
check both.Bash remediation uses the df command to find out the partition where the home
directory is mounted. However, if the directory doesn't exist the remediation won't be
applied. |
Add nodev Option to Non-Root Local Partitions
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R12), 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-3, SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227, OL08-00-010580, SV-248619r779423_rule |
| Description | The nodev mount option prevents files from being interpreted as
character or block devices. Legitimate character and block devices should
exist only in the /dev directory on the root partition or within
chroot jails built for system services.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
any non-root local partitions. |
| Rationale | The nodev mount option prevents files from being
interpreted as character or block devices. The only legitimate location
for device files is the /dev directory located on the root partition.
The only exception to this is chroot jails, for which it is not advised
to set nodev on these filesystems. |
Add nodev Option to Removable Media Partitions
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_nodev_removable_partitions |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: 11, 12, 13, 14, 16, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.06, DSS05.07, DSS06.03, DSS06.06, CCI-000366, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.7.1.1, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, A.9.2.1, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.AC-3, PR.AC-6, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000480-GPOS-00227, OL08-00-010600, SV-248621r779429_rule |
| Description | The nodev mount option prevents files from being
interpreted as character or block devices.
Legitimate character and block devices should exist only in
the /dev directory on the root partition or within chroot
jails built for system services.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
any removable media partitions. |
| Rationale | The only legitimate location for device files is the /dev directory
located on the root partition. An exception to this is chroot jails, and it is
not advised to set nodev on partitions which contain their root
filesystems. |
Add noexec Option to Removable Media Partitions
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_noexec_removable_partitions |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: 11, 12, 13, 14, 16, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.06, DSS05.07, DSS06.03, DSS06.06, CCI-000087, CCI-000366, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.7.1.1, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, A.9.2.1, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.AC-3, PR.AC-6, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000480-GPOS-00227, OL08-00-010610, SV-248622r779432_rule |
| Description | The noexec mount option prevents the direct execution of binaries
on the mounted filesystem. Preventing the direct execution of binaries from
removable media (such as a USB key) provides a defense against malicious
software that may be present on such untrusted media.
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
any removable media partitions. |
| Rationale | Allowing users to execute binaries from removable media such as USB keys exposes
the system to potential compromise. |
Add nosuid Option to Removable Media Partitions
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_nosuid_removable_partitions |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: 11, 12, 13, 14, 15, 16, 18, 3, 5, 8, 9, APO01.06, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.06, DSS05.07, DSS06.02, DSS06.03, DSS06.06, CCI-000366, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.11.2.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.AC-3, PR.AC-4, PR.AC-6, PR.DS-5, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000480-GPOS-00227, OL08-00-010620, SV-248623r779435_rule |
| Description | The nosuid mount option prevents set-user-identifier (SUID)
and set-group-identifier (SGID) permissions from taking effect. These permissions
allow users to execute binaries with the same permissions as the owner and group
of the file respectively. Users should not be allowed to introduce SUID and SGID
files into the system via partitions mounted from removeable media.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
any removable media partitions. |
| Rationale | The presence of SUID and SGID executables should be tightly controlled. Allowing
users to introduce SUID or SGID binaries from partitions mounted off of
removable media would allow them to introduce their own highly-privileged programs. |
Add nodev Option to /tmp
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R12), 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, OL08-00-040123, SV-248847r853856_rule |
| Description | The nodev mount option can be used to prevent device files from
being created in /tmp. Legitimate character and block devices
should not exist within temporary directories like /tmp.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
/tmp. |
| Rationale | The only legitimate location for device files is the /dev directory
located on the root partition. The only exception to this is chroot jails. |
Add noexec Option to /tmp
Add nosuid Option to /tmp
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R12), 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, OL08-00-040124, SV-248848r853857_rule |
| Description | The nosuid mount option can be used to prevent
execution of setuid programs in /tmp. The SUID and SGID permissions
should not be required in these world-writable directories.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/tmp. |
| Rationale | The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from temporary storage partitions. |
Add nodev Option to /var/log/audit
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nodev |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, OL08-00-040129, SV-248853r853862_rule |
| Description | The nodev mount option can be used to prevent device files from
being created in /var/log/audit.
Legitimate character and block devices should exist only in
the /dev directory on the root partition or within chroot
jails built for system services.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/log/audit. |
| Rationale | The only legitimate location for device files is the /dev directory
located on the root partition. The only exception to this is chroot jails. |
Add noexec Option to /var/log/audit
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_noexec |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, OL08-00-040131, SV-248855r853864_rule |
| Description | The noexec mount option can be used to prevent binaries
from being executed out of /var/log/audit.
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/log/audit. |
| Rationale | Allowing users to execute binaries from directories containing audit log files
such as /var/log/audit should never be necessary in normal operation and
can expose the system to potential compromise. |
Add nosuid Option to /var/log/audit
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nosuid |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, OL08-00-040130, SV-248854r853863_rule |
| Description | The nosuid mount option can be used to prevent
execution of setuid programs in /var/log/audit. The SUID and SGID permissions
should not be required in directories containing audit log files.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/log/audit. |
| Rationale | The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from partitions
designated for audit log files. |
Add nodev Option to /var/log
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_log_nodev |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, OL08-00-040126, SV-248850r853859_rule |
| Description | The nodev mount option can be used to prevent device files from
being created in /var/log.
Legitimate character and block devices should exist only in
the /dev directory on the root partition or within chroot
jails built for system services.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/log. |
| Rationale | The only legitimate location for device files is the /dev directory
located on the root partition. The only exception to this is chroot jails. |
Add noexec Option to /var/log
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_log_noexec |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R12), CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, OL08-00-040128, SV-248852r853861_rule |
| Description | The noexec mount option can be used to prevent binaries
from being executed out of /var/log.
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/log. |
| Rationale | Allowing users to execute binaries from directories containing log files
such as /var/log should never be necessary in normal operation and
can expose the system to potential compromise. |
Add nosuid Option to /var/log
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R12), CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, OL08-00-040127, SV-248851r853860_rule |
| Description | The nosuid mount option can be used to prevent
execution of setuid programs in /var/log. The SUID and SGID permissions
should not be required in directories containing log files.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/log. |
| Rationale | The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from partitions
designated for log files. |
Add nodev Option to /var/tmp
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nodev |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R12), CCI-001764, SRG-OS-000368-GPOS-00154, OL08-00-040132, SV-248856r853865_rule |
| Description | The nodev mount option can be used to prevent device files from
being created in /var/tmp. Legitimate character and block devices
should not exist within temporary directories like /var/tmp.
Add the nodev option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/tmp. |
| Rationale | The only legitimate location for device files is the /dev directory
located on the root partition. The only exception to this is chroot jails. |
Add noexec Option to /var/tmp
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R12), CCI-001764, SRG-OS-000368-GPOS-00154, OL08-00-040134, SV-248858r853867_rule |
| Description | The noexec mount option can be used to prevent binaries
from being executed out of /var/tmp.
Add the noexec option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/tmp. |
| Rationale | Allowing users to execute binaries from world-writable directories
such as /var/tmp should never be necessary in normal operation and
can expose the system to potential compromise. |
Add nosuid Option to /var/tmp
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R12), CCI-001764, SRG-OS-000368-GPOS-00154, OL08-00-040133, SV-248857r853866_rule |
| Description | The nosuid mount option can be used to prevent
execution of setuid programs in /var/tmp. The SUID and SGID permissions
should not be required in these world-writable directories.
Add the nosuid option to the fourth column of
/etc/fstab for the line which controls mounting of
/var/tmp. |
| Rationale | The presence of SUID and SGID executables should be tightly controlled. Users
should not be able to execute SUID or SGID binaries from temporary storage partitions. |
Disable acquiring, saving, and processing core dumps
| Rule ID | xccdf_org.ssgproject.content_rule_service_systemd-coredump_disabled |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000366, SC-7(10), FMT_SMF_EXT.1, SRG-OS-000480-GPOS-00227, OL08-00-010672, SV-248630r779456_rule |
| Description | The systemd-coredump.socket unit is a socket activation of
the systemd-coredump@.service which processes core dumps.
By masking the unit, core dump processing is disabled. |
| Rationale | A core dump includes a memory image taken at the time the operating system
terminates an application. The memory image could contain sensitive data
and is generally useful only for developers trying to debug problems. |
Disable core dump backtraces
| Rule ID | xccdf_org.ssgproject.content_rule_coredump_disable_backtraces |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-coredump_disable_backtraces:def:1 |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000366, CM-6, FMT_SMF_EXT.1, Req-3.2, 3.3.1.1, 3.3.1.2, 3.3.1.3, SRG-OS-000480-GPOS-00227, OL08-00-010675, SV-248633r779465_rule |
| Description | The ProcessSizeMax option in [Coredump] section
of /etc/systemd/coredump.conf
specifies the maximum size in bytes of a core which will be processed.
Core dumps exceeding this size may be stored, but the backtrace will not
be generated. |
| Rationale | A core dump includes a memory image taken at the time the operating system
terminates an application. The memory image could contain sensitive data
and is generally useful only for developers or system operators trying to
debug problems.
Enabling core dumps on production systems is not recommended,
however there may be overriding operational requirements to enable advanced
debuging. Permitting temporary enablement of core dumps during such situations
should be reviewed through local needs and policy. |
| Warnings | warning
If the /etc/systemd/coredump.conf file
does not already contain the [Coredump] section,
the value will not be configured correctly. |
tests the value of ProcessSizeMax setting in the /etc/systemd/coredump.conf file oval:ssg-test_coredump_disable_backtraces:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_coredump_disable_backtraces:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/systemd/coredump.conf | ^\s*\[Coredump\].*(?:\n\s*[^[\s].*)*\n^[ \t]*(?i)ProcessSizeMax(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) | 1 |
tests the value of ProcessSizeMax setting in the /etc/systemd/coredump.conf.d file oval:ssg-test_coredump_disable_backtraces_config_dir:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_coredump_disable_backtraces_config_dir:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|---|---|---|
| /etc/systemd/coredump.conf.d | .*\.conf$ | ^\s*\[Coredump\].*(?:\n\s*[^[\s].*)*\n^[ \t]*(?i)ProcessSizeMax(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) | 1 |
Disable storing core dump
| Rule ID | xccdf_org.ssgproject.content_rule_coredump_disable_storage |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-coredump_disable_storage:def:1 |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000366, CM-6, FMT_SMF_EXT.1, Req-3.2, 3.3.1.1, 3.3.1.2, 3.3.1.3, SRG-OS-000480-GPOS-00227, OL08-00-010674, SV-248632r779462_rule |
| Description | The Storage option in [Coredump] sectionof /etc/systemd/coredump.conf
can be set to none to disable storing core dumps permanently. |
| Rationale | A core dump includes a memory image taken at the time the operating system
terminates an application. The memory image could contain sensitive data
and is generally useful only for developers or system operators trying to
debug problems. Enabling core dumps on production systems is not recommended,
however there may be overriding operational requirements to enable advanced
debuging. Permitting temporary enablement of core dumps during such situations
should be reviewed through local needs and policy. |
| Warnings | warning
If the /etc/systemd/coredump.conf file
does not already contain the [Coredump] section,
the value will not be configured correctly. |
tests the value of Storage setting in the /etc/systemd/coredump.conf file oval:ssg-test_coredump_disable_storage:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_coredump_disable_storage:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/systemd/coredump.conf | ^\s*\[Coredump\].*(?:\n\s*[^[\s].*)*\n^[ \t]*(?i)Storage(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) | 1 |
tests the value of Storage setting in the /etc/systemd/coredump.conf.d file oval:ssg-test_coredump_disable_storage_config_dir:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-obj_coredump_disable_storage_config_dir:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|---|---|---|
| /etc/systemd/coredump.conf.d | .*\.conf$ | ^\s*\[Coredump\].*(?:\n\s*[^[\s].*)*\n^[ \t]*(?i)Storage(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#) | 1 |
Disable Core Dumps for All Users
| Rule ID | xccdf_org.ssgproject.content_rule_disable_users_coredumps |
| Result | fail |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-disable_users_coredumps:def:1 |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: 1, 12, 13, 15, 16, 2, 7, 8, APO13.01, BAI04.04, DSS01.03, DSS03.05, DSS05.07, CCI-000366, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.17.2.1, CM-6, SC-7(10), DE.CM-1, PR.DS-4, 3.3.1.1, 3.3.1.2, 3.3.1.3, SRG-OS-000480-GPOS-00227, OL08-00-010673, SV-248631r779459_rule |
| Description | To disable core dumps for all users, add the following line to
/etc/security/limits.conf, or to a file within the
/etc/security/limits.d/ directory:
* hard core 0 |
| Rationale | A core dump includes a memory image taken at the time the operating system
terminates an application. The memory image could contain sensitive data and is generally useful
only for developers trying to debug problems. |
Tests the value of the ^[\s]*\*[\s]+(hard|-)[\s]+core[\s]+([\d]+) setting in the /etc/security/limits.d directory oval:ssg-test_core_dumps_limits_d:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_core_dumps_limits_d:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|---|---|---|
| /etc/security/limits.d | ^.*\.conf$ | ^[\s]*\*[\s]+(?:hard|-)[\s]+core[\s]+([\d]+) | 1 |
Tests for existance of the ^[\s]*\*[\s]+(hard|-)[\s]+core setting in the /etc/security/limits.d directory oval:ssg-test_core_dumps_limits_d_exists:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_core_dumps_limits_d_exists:obj:1 of type textfilecontent54_object
| Path | Filename | Pattern | Instance |
|---|---|---|---|
| /etc/security/limits.d | ^.*\.conf$ | ^[\s]*\*[\s]+(?:hard|-)[\s]+core | 1 |
Tests the value of the ^[\s]*\*[\s]+(hard|-)[\s]+core[\s]+([\d]+) setting in the /etc/security/limits.conf file oval:ssg-test_core_dumps_limitsconf:tst:1 false
No items have been found conforming to the following objects:
Object oval:ssg-object_core_dumps_limitsconf:obj:1 of type textfilecontent54_object
| Filepath | Pattern | Instance |
|---|---|---|
| /etc/security/limits.conf | ^[\s]*\*[\s]+(?:hard|-)[\s]+core[\s]+([\d]+) | 1 |
Restrict Exposed Kernel Pointer Addresses Access
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R23), CCI-002824, CCI-000366, CIP-002-5 R1.1, CIP-002-5 R1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 4.1, CIP-004-6 4.2, CIP-004-6 R2.2.3, CIP-004-6 R2.2.4, CIP-004-6 R2.3, CIP-004-6 R4, CIP-005-6 R1, CIP-005-6 R1.1, CIP-005-6 R1.2, CIP-007-3 R3, CIP-007-3 R3.1, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, CIP-007-3 R8.4, CIP-009-6 R.1.1, CIP-009-6 R4, SC-30, SC-30(2), SC-30(5), CM-6(a), SRG-OS-000132-GPOS-00067, SRG-OS-000433-GPOS-00192, SRG-OS-000480-GPOS-00227, OL08-00-040283, SV-248891r858685_rule |
| Description | To set the runtime status of the kernel.kptr_restrict kernel parameter, run the following command: $ sudo sysctl -w kernel.kptr_restrict=1To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.kptr_restrict = 1 |
| Rationale | Exposing kernel pointers (through procfs or seq_printf()) exposes kernel
writeable structures which may contain functions pointers. If a write vulnerability
occurs in the kernel, allowing write access to any of this structure, the kernel can
be compromised. This option disallow any program without the CAP_SYSLOG capability
to get the addresses of kernel pointers by replacing them with 0. |
Enable Randomized Layout of Virtual Address Space
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R23), 3.1.7, CCI-000366, CCI-002824, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), CIP-002-5 R1.1, CIP-002-5 R1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 4.1, CIP-004-6 4.2, CIP-004-6 R2.2.3, CIP-004-6 R2.2.4, CIP-004-6 R2.3, CIP-004-6 R4, CIP-005-6 R1, CIP-005-6 R1.1, CIP-005-6 R1.2, CIP-007-3 R3, CIP-007-3 R3.1, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, CIP-007-3 R8.4, CIP-009-6 R.1.1, CIP-009-6 R4, SC-30, SC-30(2), CM-6(a), Req-2.2.1, 2.2.3, SRG-OS-000433-GPOS-00193, SRG-OS-000480-GPOS-00227, SRG-APP-000450-CTR-001105, OL08-00-010430, SV-248594r860918_rule |
| Description | To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command: $ sudo sysctl -w kernel.randomize_va_space=2To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.randomize_va_space = 2 |
| Rationale | Address space layout randomization (ASLR) makes it more difficult for an
attacker to predict the location of attack code they have introduced into a
process's address space during an attempt at exploitation. Additionally,
ASLR makes it more difficult for an attacker to know the location of
existing code in order to re-purpose it using return oriented programming
(ROP) techniques. |
Enable NX or XD Support in the BIOS
| Rule ID | xccdf_org.ssgproject.content_rule_bios_enable_execution_restrictions |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.7, CCI-002824, 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, SC-39, CM-6(a), PR.IP-1, 2.2.1, SRG-OS-000433-GPOS-00192, SRG-APP-000450-CTR-001105, OL08-00-010420, SV-248589r853770_rule |
| Description | Reboot the system and enter the BIOS or Setup configuration menu.
Navigate the BIOS configuration menu and make sure that the option is enabled. The setting may be located
under a Security section. Look for Execute Disable (XD) on Intel-based systems and No Execute (NX)
on AMD-based systems. |
| Rationale | Computers with the ability to prevent this type of code execution frequently put an option in the BIOS that will
allow users to turn the feature on or off at will. |
Enable page allocator poisoning
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_page_poison_argument |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R8), CCI-001084, CM-6(a), SRG-OS-000480-GPOS-00227, SRG-OS-000134-GPOS-00068, OL08-00-010421, SV-248590r779336_rule |
| Description | To enable poisoning of free pages,
add the argument page_poison=1 to the default
GRUB 2 command line for the Linux operating system.
To ensure that page_poison=1 is added as a kernel command line
argument to newly installed kernels, add page_poison=1 to the
default Grub2 command line for Linux operating systems. Modify the line within
/etc/default/grub as shown below:
GRUB_CMDLINE_LINUX="... page_poison=1 ..."Run the following command to update command line for already installed kernels: # grubby --update-kernel=ALL --args="page_poison=1" |
| Rationale | Poisoning writes an arbitrary value to freed pages, so any modification or
reference to that page after being freed or before being initialized will be
detected and prevented.
This prevents many types of use-after-free vulnerabilities at little performance cost.
Also prevents leak of data and detection of corrupted memory. |
Enable SLUB/SLAB allocator poisoning
| Rule ID | xccdf_org.ssgproject.content_rule_grub2_slub_debug_argument |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R8), CCI-001084, CM-6(a), SRG-OS-000433-GPOS-00192, SRG-OS-000134-GPOS-00068, OL08-00-010423, SV-248592r779342_rule |
| Description | To enable poisoning of SLUB/SLAB objects,
add the argument slub_debug=P to the default
GRUB 2 command line for the Linux operating system.
To ensure that slub_debug=P is added as a kernel command line
argument to newly installed kernels, add slub_debug=P to the
default Grub2 command line for Linux operating systems. Modify the line within
/etc/default/grub as shown below:
GRUB_CMDLINE_LINUX="... slub_debug=P ..."Run the following command to update command line for already installed kernels: # grubby --update-kernel=ALL --args="slub_debug=P" |
| Rationale | Poisoning writes an arbitrary value to freed objects, so any modification or
reference to that object after being freed or before being initialized will be
detected and prevented.
This prevents many types of use-after-free vulnerabilities at little performance cost.
Also prevents leak of data and detection of corrupted memory. |
Disable the uvcvideo module
| Rule ID | xccdf_org.ssgproject.content_rule_kernel_module_uvcvideo_disabled |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000381, CM-7 (a), CM-7 (5) (b), SRG-OS-000095-GPOS-00049, SRG-OS-000370-GPOS-00155, OL08-00-040020, SV-248828r818691_rule |
| Description | If the device contains a camera it should be covered or disabled when not in use. |
| Rationale | Failing to disconnect from collaborative computing devices (i.e., cameras) can result in subsequent compromises of organizational information.
Providing easy methods to physically disconnect from such devices after a collaborative computing session helps to ensure participants actually carry out the disconnect activity without having to go through complex and tedious procedures. |
Disable storing core dumps
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_core_pattern |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000366, SC-7(10), FMT_SMF_EXT.1, SRG-OS-000480-GPOS-00227, OL08-00-010671, SV-248629r858629_rule |
| Description | To set the runtime status of the kernel.core_pattern kernel parameter, run the following command: $ sudo sysctl -w kernel.core_pattern=|/bin/falseTo make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.core_pattern = |/bin/false |
| Rationale | A core dump includes a memory image taken at the time the operating system
terminates an application. The memory image could contain sensitive data and is generally useful
only for developers trying to debug problems. |
Restrict Access to Kernel Message Buffer
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | low |
| Identifiers and References | References: BP28(R23), 3.1.5, CCI-001090, CCI-001314, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), SI-11(a), SI-11(b), SRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069, SRG-APP-000243-CTR-000600, OL08-00-010375, SV-248579r858617_rule |
| Description | To set the runtime status of the kernel.dmesg_restrict kernel parameter, run the following command: $ sudo sysctl -w kernel.dmesg_restrict=1To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.dmesg_restrict = 1 |
| Rationale | Unprivileged access to the kernel syslog can expose sensitive kernel
address information. |
Disable Kernel Image Loading
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-001749, CM-6, SRG-OS-000480-GPOS-00227, SRG-OS-000366-GPOS-00153, OL08-00-010372, SV-248576r917907_rule |
| Description | To set the runtime status of the kernel.kexec_load_disabled kernel parameter, run the following command: $ sudo sysctl -w kernel.kexec_load_disabled=1To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.kexec_load_disabled = 1 |
| Rationale | Disabling kexec_load allows greater control of the kernel memory.
It makes it impossible to load another kernel image after it has been disabled.
|
Disallow kernel profiling by unprivileged users
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_paranoid |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | low |
| Identifiers and References | References: BP28(R23), CCI-001090, AC-6, FMT_SMF_EXT.1, SRG-OS-000132-GPOS-00067, SRG-OS-000138-GPOS-00069, SRG-APP-000243-CTR-000600, OL08-00-010376, SV-248580r858619_rule |
| Description | To set the runtime status of the kernel.perf_event_paranoid kernel parameter, run the following command: $ sudo sysctl -w kernel.perf_event_paranoid=2To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.perf_event_paranoid = 2 |
| Rationale | Kernel profiling can reveal sensitive information about kernel behaviour. |
Disable Access to Network bpf() Syscall From Unprivileged Processes
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_unprivileged_bpf_disabled |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R9), CCI-000366, AC-6, SC-7(10), FMT_SMF_EXT.1, SRG-OS-000132-GPOS-00067, SRG-OS-000480-GPOS-00227, OL08-00-040281, SV-248889r858681_rule |
| Description | To set the runtime status of the kernel.unprivileged_bpf_disabled kernel parameter, run the following command: $ sudo sysctl -w kernel.unprivileged_bpf_disabled=1To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.unprivileged_bpf_disabled = 1 |
| Rationale | Loading and accessing the packet filters programs and maps using the bpf()
syscall has the potential of revealing sensitive information about the kernel state. |
Restrict usage of ptrace to descendant processes
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R25), CCI-000366, SC-7(10), SRG-OS-000132-GPOS-00067, SRG-OS-000480-GPOS-00227, OL08-00-040282, SV-248890r858683_rule |
| Description | To set the runtime status of the kernel.yama.ptrace_scope kernel parameter, run the following command: $ sudo sysctl -w kernel.yama.ptrace_scope=1To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: kernel.yama.ptrace_scope = 1 |
| Rationale | Unrestricted usage of ptrace allows compromised binaries to run ptrace
on another processes of the user. Like this, the attacker can steal
sensitive information from the target processes (e.g. SSH sessions, web browser, ...)
without any additional assistance from the user (i.e. without resorting to phishing).
|
Harden the operation of the BPF just-in-time compiler
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_net_core_bpf_jit_harden |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R12), CCI-000366, CM-6, SC-7(10), FMT_SMF_EXT.1, SRG-OS-000480-GPOS-00227, OL08-00-040286, SV-248894r858691_rule |
| Description | To set the runtime status of the net.core.bpf_jit_harden kernel parameter, run the following command: $ sudo sysctl -w net.core.bpf_jit_harden=2To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d: net.core.bpf_jit_harden = 2 |
| Rationale | When hardened, the extended Berkeley Packet Filter just-in-time compiler
will randomize any kernel addresses in the BPF programs and maps,
and will not expose the JIT addresses in /proc/kallsyms. |
Disable the use of user namespaces
| Rule ID | xccdf_org.ssgproject.content_rule_sysctl_user_max_user_namespaces |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000366, SC-39, CM-6(a), FMT_SMF_EXT.1, SRG-OS-000480-GPOS-00227, OL08-00-040284, SV-248892r858687_rule |
| Description | To set the runtime status of the user.max_user_namespaces kernel parameter,
run the following command:
$ sudo sysctl -w user.max_user_namespaces=0To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
user.max_user_namespaces = 0When containers are deployed on the machine, the value should be set to large non-zero value. |
| Rationale | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or system objectives.
These unnecessary capabilities or services are often overlooked and therefore may remain unsecured.
They increase the risk to the platform by providing additional attack vectors.
User namespaces are used primarily for Linux containers. The value 0
disallows the use of user namespaces. |
| Warnings | warning
This configuration baseline was created to deploy the base operating system for general purpose
workloads. When the operating system is configured for certain purposes, such as to host Linux Containers,
it is expected that user.max_user_namespaces will be enabled. |
Install policycoreutils Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_policycoreutils_installed |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | low |
| Identifiers and References | References: CCI-001084, SRG-OS-000480-GPOS-00227, SRG-OS-000134-GPOS-00068, OL08-00-010171, SV-248549r779213_rule |
| Description | The policycoreutils package can be installed with the following command:
$ sudo yum install policycoreutils |
| Rationale | Security-enhanced Linux is a feature of the Linux kernel and a number of utilities
with enhanced security functionality designed to add mandatory access controls to Linux.
The Security-enhanced Linux kernel contains new architectural components originally
developed to improve security of the Flask operating system. These architectural components
provide general support for the enforcement of many kinds of mandatory access control
policies, including those based on the concepts of Type Enforcement, Role-based Access
Control, and Multi-level Security.
policycoreutils contains the policy core utilities that are required for
basic operation of an SELinux-enabled system. These utilities include load_policy
to load SELinux policies, setfiles to label filesystems, newrole to
switch roles, and so on. |
Configure SELinux Policy
| Rule ID | xccdf_org.ssgproject.content_rule_selinux_policytype |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R66), 1, 11, 12, 13, 14, 15, 16, 18, 3, 4, 5, 6, 8, 9, APO01.06, APO11.04, APO13.01, BAI03.05, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, MEA02.01, 3.1.2, 3.7.2, CCI-002165, CCI-002696, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), 4.2.3.4, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.2, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-004-6 R3.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, CIP-007-3 R6.5, AC-3, AC-3(3)(a), AU-9, SC-7(21), DE.AE-1, ID.AM-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.DS-5, PR.PT-1, PR.PT-3, PR.PT-4, SRG-OS-000445-GPOS-00199, SRG-APP-000233-CTR-000585, OL08-00-010450, SV-248596r853774_rule |
| Description | The SELinux targeted policy is appropriate for
general-purpose desktops and servers, as well as systems in many other roles.
To configure the system to use this policy, add or correct the following line
in /etc/selinux/config:
SELINUXTYPE=targetedOther policies, such as mls, provide additional security labeling
and greater confinement but are not compatible with many general-purpose
use cases. |
| Rationale | Setting the SELinux policy to targeted or a more specialized policy
ensures the system will confine processes that are likely to be
targeted for exploitation, such as network or system services.
Note: During the development or debugging of SELinux modules, it is common to temporarily place non-production systems in permissive mode. In such
temporary cases, SELinux policies should be developed, and once work
is completed, the system should be reconfigured to
targeted. |
Ensure SELinux State is Enforcing
Map System Users To The Appropriate SELinux Role
| Rule ID | xccdf_org.ssgproject.content_rule_selinux_user_login_roles |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-002165, CCI-002235, SRG-OS-000324-GPOS-00125, OL08-00-040400, SV-248907r877392_rule |
| Description | Configure the operating system to prevent non-privileged users from executing
privileged functions to include disabling, circumventing, or altering
implemented security safeguards/countermeasures. All administrators must be
mapped to the sysadm_u or staff_u users with the
appropriate domains (sysadm_t and staff_t).
$ sudo semanage login -m -s sysadm_u USERor $ sudo semanage login -m -s staff_u USER All authorized non-administrative users must be mapped to the user_u role or the appropriate domain
(user_t).
$ sudo semanage login -m -s user_u USER |
| Rationale | Preventing non-privileged users from executing privileged functions mitigates
the risk that unauthorized individuals or processes may gain unnecessary access
to information or privileges.
Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from non-privileged users. |
Uninstall Automatic Bug Reporting Tool (abrt)
| Rule ID | xccdf_org.ssgproject.content_rule_package_abrt_removed |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_abrt_removed:def:1 |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000381, SRG-OS-000095-GPOS-00049, OL08-00-040001, SV-248824r780038_rule |
| Description | The Automatic Bug Reporting Tool ( abrt) collects
and reports crash data when an application crash is detected. Using a variety
of plugins, abrt can email crash reports to system administrators, log crash
reports to files, or forward crash reports to a centralized issue tracking
system such as RHTSupport.
The abrt package can be removed with the following command:
$ sudo yum erase abrt |
| Rationale | Mishandling crash data could expose sensitive information about
vulnerabilities in software executing on the system, as well as sensitive
information from within a process's address space or registers. |
package abrt is removed oval:ssg-test_package_abrt_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_abrt_removed:obj:1 of type rpminfo_object
| Name |
|---|
| abrt |
Disable KDump Kernel Crash Analyzer (kdump)
| Rule ID | xccdf_org.ssgproject.content_rule_service_kdump_disabled |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000366, CCI-001665, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, FMT_SMF_EXT.1.1, SRG-OS-000269-GPOS-00103, SRG-OS-000480-GPOS-00227, OL08-00-010670, SV-248628r779450_rule |
| Description | The kdump service provides a kernel crash dump analyzer. It uses the kexec
system call to boot a secondary kernel ("capture" kernel) following a system
crash, which can load information from the crashed kernel for analysis.
The kdump service can be disabled with the following command:
$ sudo systemctl mask --now kdump.service |
| Rationale | Kernel core dumps may contain the full contents of system memory at the
time of the crash. Kernel core dumps consume a considerable amount of disk
space and may result in denial of service by exhausting the available space
on the target file system partition. Unless the system is used for kernel
development or testing, there is little need to run the kdump service. |
Install fapolicyd Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_fapolicyd_installed |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-001764, CCI-001774, CM-6(a), SI-4(22), SRG-OS-000370-GPOS-00155, SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00230, OL08-00-040135, SV-248859r853868_rule |
| Description | The fapolicyd package can be installed with the following command:
$ sudo yum install fapolicyd |
| Rationale | fapolicyd (File Access Policy Daemon)
implements application whitelisting to decide file access rights. |
Enable the File Access Policy Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_fapolicyd_enabled |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-001764, CCI-001774, CM-6(a), SI-4(22), FMT_SMF_EXT.1, SRG-OS-000370-GPOS-00155, SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00230, OL08-00-040136, SV-248860r853869_rule |
| Description | The File Access Policy service should be enabled.
The fapolicyd service can be enabled with the following command:
$ sudo systemctl enable fapolicyd.service |
| Rationale | The fapolicyd service (File Access Policy Daemon)
implements application whitelisting to decide file access rights. |
Configure Fapolicy Module to Employ a Deny-all, Permit-by-exception Policy to Allow the Execution of Authorized Software Programs.
| Rule ID | xccdf_org.ssgproject.content_rule_fapolicy_default_deny |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-001764, CM-7 (2), CM-7 (5) (b), CM-6 b, SRG-OS-000368-GPOS-00154, SRG-OS-000370-GPOS-00155, SRG-OS-000480-GPOS-00232, OL08-00-040137, SV-248861r860922_rule |
| Description | The Fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs and to prevent unauthorized software from running. |
| Rationale | Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software.
Using only authorized software decreases risk by limiting the number of potential vulnerabilities. Verification of whitelisted software occurs prior to execution or at system startup.
Proceed with caution with enforcing the use of this daemon.
Improper configuration may render the system non-functional.
The "fapolicyd" API is not namespace aware and can cause issues when launching or running containers. |
| Warnings | warning
This rule doesn't come with a remediation. Before remediating the system administrator needs to create an allowlist of authorized software. |
Uninstall vsftpd Package
package vsftpd is removed oval:ssg-test_package_vsftpd_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_vsftpd_removed:obj:1 of type rpminfo_object
| Name |
|---|
| vsftpd |
Remove the Kerberos Server Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_krb5-server_removed |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000803, IA-7, IA-7.1, SRG-OS-000120-GPOS-00061, OL08-00-010163, SV-248547r779207_rule |
| Description | The krb5-server package should be removed if not in use.
Is this system the Kerberos server? If not, remove the package.
The krb5-server package can be removed with the following command:
$ sudo yum erase krb5-serverThe krb5-server RPM is not installed by default on a Oracle Linux 8 system. It is needed only by the Kerberos servers, not by the clients which use Kerberos for authentication. If the system is not intended for use as a Kerberos Server it should be removed. |
| Rationale | Unnecessary packages should not be installed to decrease the attack
surface of the system. While this software is clearly essential on an KDC
server, it is not necessary on typical desktop or workstation systems. |
Disable Kerberos by removing host keytab
| Rule ID | xccdf_org.ssgproject.content_rule_kerberos_disable_no_keytab |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000803, 0418, 1055, 1402, FTP_ITC_EXT.1, SRG-OS-000120-GPOS-00061, OL08-00-010161, SV-248545r779201_rule |
| Description | Kerberos is not an approved key distribution method for
Common Criteria. To prevent using Kerberos by system daemons,
remove the Kerberos keytab files, especially
/etc/krb5.keytab. |
| Rationale | The key derivation function (KDF) in Kerberos is not FIPS compatible. |
Configure System to Forward All Mail From Postmaster to The Root Account
| Rule ID | xccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias_postmaster |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000139, AU-5(a), AU-5.1(ii), SRG-OS-000046-GPOS-00022, OL08-00-030030, SV-248725r779741_rule |
| Description | Verify the administrators are notified in the event of an audit processing failure.
Check that the "/etc/aliases" file has a defined value for "root".
$ sudo grep "postmaster:\s*root$" /etc/aliases postmaster: root |
| Rationale | It is critical for the appropriate personnel to be aware if a system is at risk of failing to
process audit logs as required. Without this notification, the security personnel may be
unaware of an impending failure of the audit capability, and system operation may be adversely
affected.
Audit processing failures include software/hardware errors, failures in the audit capturing
mechanisms, and audit storage capacity being reached or exceeded. |
Prevent Unrestricted Mail Relaying
| Rule ID | xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000366, SRG-OS-000480-GPOS-00227, OL08-00-040290, SV-248895r780251_rule |
| Description | Modify the /etc/postfix/main.cffile to restrict client connections to the local network with the following command: $ sudo postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject' |
| Rationale | If unrestricted mail relaying is permitted, unauthorized senders could use this
host as a mail relay for the purpose of sending spam or other unauthorized
activity. |
The mailx Package Is Installed
| Rule ID | xccdf_org.ssgproject.content_rule_package_mailx_installed |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-001744, CM-3(5), SRG-OS-000363-GPOS-00150, OL08-00-010358, SV-256979r902803_rule |
| Description | A mail server is required for sending emails.
The mailx package can be installed with the following command:
$ sudo yum install mailx |
| Rationale | Emails can be used to notify designated personnel about important
system events such as failures or warnings. |
Uninstall Sendmail Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_sendmail_removed |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R1), 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, CCI-000381, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, SRG-OS-000095-GPOS-00049, OL08-00-040002, SV-248825r780041_rule |
| Description | Sendmail is not the default mail transfer agent and is
not installed by default.
The sendmail package can be removed with the following command:
$ sudo yum erase sendmail |
| Rationale | The sendmail software was not developed with security in mind and
its design prevents it from being effectively contained by SELinux. Postfix
should be used instead. |
Mount Remote Filesystems with nodev
Mount Remote Filesystems with noexec
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_noexec_remote_filesystems |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-000366, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-6, AC-6(8), AC-6(10), CM-6(a), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, OL08-00-010630, SV-248624r779438_rule |
| Description | Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of
any NFS mounts. |
| Rationale | The noexec mount option causes the system not to execute binary files. This option must be used
for mounting any file system not containing approved binary files as they may be incompatible. Executing
files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized
administrative access. |
Mount Remote Filesystems with nosuid
| Rule ID | xccdf_org.ssgproject.content_rule_mount_option_nosuid_remote_filesystems |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-000366, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-6, AC-6(1), CM6(a), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, OL08-00-010650, SV-248626r779444_rule |
| Description | Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of
any NFS mounts. |
| Rationale | NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables
should be installed to their default location on the local filesystem. |
Disable chrony daemon from acting as server
| Rule ID | xccdf_org.ssgproject.content_rule_chronyd_client_only |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | low |
| Identifiers and References | References: CCI-000381, AU-8(1), AU-12(1), FMT_SMF_EXT.1, SRG-OS-000096-GPOS-00050, SRG-OS-000095-GPOS-00049, OL08-00-030741, SV-248821r780029_rule |
| Description | The port option in /etc/chrony.conf can be set to
0 to make chrony daemon to never open any listening port
for server operation and to operate strictly in a client-only mode. |
| Rationale | In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types within data types), organizations must disable or restrict unused or unnecessary physical and logical ports/protocols on information systems.
Operating systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Additionally, it is sometimes convenient to provide multiple services from a single component (e.g., VPN and IPS); however, doing so increases risk over limiting the services provided by any one component.
To support the requirements and principles of least functionality, the operating system must support the organizational requirements, providing only essential capabilities and limiting the use of ports, protocols, and/or services to only those required, authorized, and approved to conduct official business or to address authorized quality of life issues. |
Disable network management of chrony daemon
| Rule ID | xccdf_org.ssgproject.content_rule_chronyd_no_chronyc_network |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | low |
| Identifiers and References | References: CCI-000381, CM-7(1), FMT_SMF_EXT.1, SRG-OS-000096-GPOS-00050, SRG-OS-000095-GPOS-00049, OL08-00-030742, SV-248822r780032_rule |
| Description | The cmdport option in /etc/chrony.conf can be set to
0 to stop chrony daemon from listening on the UDP port 323
for management connections made by chronyc. |
| Rationale | Minimizing the exposure of the server functionality of the chrony
daemon diminishes the attack surface. |
Configure Time Service Maxpoll Interval
| Rule ID | xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001891, CCI-002046, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), AU-8(1)(b), AU-12(1), PR.PT-1, SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144, SRG-OS-000359-GPOS-00146, OL08-00-030740, SV-248820r877038_rule |
| Description | The maxpoll should be configured to
16 in /etc/ntp.conf or
/etc/chrony.conf to continuously poll time servers. To configure
maxpoll in /etc/ntp.conf or /etc/chrony.conf
add the following after each `server`, `pool` or `peer` entry:
maxpoll 16to serverdirectives. If using chrony any pooldirectives should be configured too. If no server or pool directives are configured, the rule evaluates
to pass. |
| Rationale | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular event occurred on a system is critical when conducting forensic analysis and investigating system events. Sources outside the configured acceptable allowance (drift) may be inaccurate.
Synchronizing internal information system clocks provides uniformity of time stamps for information systems with multiple system clocks and systems connected over a network.
Organizations should consider endpoints that may not have regular access to the authoritative time server (e.g., mobile, teleworking, and tactical endpoints). |
Ensure Chrony is only configured with the server directive
| Rule ID | xccdf_org.ssgproject.content_rule_chronyd_server_directive |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-001891, SRG-OS-000355-GPOS-00143, SRG-OS-000356-GPOS-00144, SRG-OS-000359-GPOS-00146, OL08-00-030740, SV-248820r877038_rule |
| Description | Check that Chrony only has time sources configured with the server directive. |
| Rationale | Depending on the infrastructure being used the pool directive may not be supported. |
| Warnings | warning
This rule doesn't come with a remediation, the time source needs to be added by the administrator. |
Uninstall rsh-server Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_rsh-server_removed |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_rsh-server_removed:def:1 |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | high |
| Identifiers and References | References: BP28(R1), 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000381, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), IA-5(1)(c), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000095-GPOS-00049, OL08-00-040010, SV-248827r780047_rule |
| Description | The rsh-server package can be removed with the following command:
$ sudo yum erase rsh-server |
| Rationale | The rsh-server service provides unencrypted remote access service which does not
provide for the confidentiality and integrity of user passwords or the remote session and has very weak
authentication. If a privileged user were to login using this service, the privileged user password
could be compromised. The rsh-server package provides several obsolete and insecure
network services. Removing it decreases the risk of those services' accidental (or intentional)
activation. |
package rsh-server is removed oval:ssg-test_package_rsh-server_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_rsh-server_removed:obj:1 of type rpminfo_object
| Name |
|---|
| rsh-server |
Remove Host-Based Authentication Files
| Rule ID | xccdf_org.ssgproject.content_rule_no_host_based_files |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-no_host_based_files:def:1 |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | high |
| Identifiers and References | References: CCI-000366, SRG-OS-000480-GPOS-00227, OL08-00-010460, SV-248597r779357_rule |
| Description | The shosts.equiv file lists remote hosts and users that are trusted by the local
system. To remove these files, run the following command to delete them from any location:
$ sudo rm /[path]/[to]/[file]/shosts.equiv |
| Rationale | The shosts.equiv files are used to configure host-based authentication for the system via SSH.
Host-based authentication is not sufficient for preventing unauthorized access to the system,
as it does not require interactive identification and authentication of a connection request,
or for the use of two-factor authentication. |
look for shosts.equiv in / oval:ssg-test_no_shosts_equiv:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_no_shosts_equiv_files_root:obj:1 of type file_object
| Behaviors | Path | Filename |
|---|---|---|
| no value | / | shosts.equiv |
Remove User Host-Based Authentication Files
| Rule ID | xccdf_org.ssgproject.content_rule_no_user_host_based_files |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-no_user_host_based_files:def:1 |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | high |
| Identifiers and References | References: CCI-000366, SRG-OS-000480-GPOS-00227, OL08-00-010470, SV-248598r779360_rule |
| Description | The ~/.shosts (in each user's home directory) files
list remote hosts and users that are trusted by the
local system. To remove these files, run the following command
to delete them from any location:
$ sudo find / -name '.shosts' -type f -delete |
| Rationale | The .shosts files are used to configure host-based authentication for
individual users or the system via SSH. Host-based authentication is not
sufficient for preventing unauthorized access to the system, as it does not
require interactive identification and authentication of a connection request,
or for the use of two-factor authentication. |
look for .shosts in / oval:ssg-test_no_shosts:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-object_no_shosts_files_root:obj:1 of type file_object
| Behaviors | Path | Filename |
|---|---|---|
| no value | / | .shosts |
Uninstall telnet-server Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_telnet-server_removed |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_telnet-server_removed:def:1 |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | high |
| Identifiers and References | References: BP28(R1), 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000381, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, Req-2.2.2, 2.2.4, SRG-OS-000095-GPOS-00049, OL08-00-040000, SV-248823r780035_rule |
| Description | The telnet-server package can be removed with the following command:
$ sudo yum erase telnet-server |
| Rationale | It is detrimental for operating systems to provide, or install by default,
functionality exceeding requirements or mission objectives. These
unnecessary capabilities are often overlooked and therefore may remain
unsecure. They increase the risk to the platform by providing additional
attack vectors.
The telnet service provides an unencrypted remote access service which does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to login using this service, the privileged user password could be compromised. Removing the telnet-server package decreases the risk of the
telnet service's accidental (or intentional) activation. |
package telnet-server is removed oval:ssg-test_package_telnet-server_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_telnet-server_removed:obj:1 of type rpminfo_object
| Name |
|---|
| telnet-server |
Uninstall tftp-server Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_tftp-server_removed |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-package_tftp-server_removed:def:1 |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | high |
| Identifiers and References | References: BP28(R1), 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000318, CCI-000366, CCI-000368, CCI-001812, CCI-001813, CCI-001814, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, OL08-00-040190, SV-248873r780185_rule |
| Description | The tftp-server package can be removed with the following command: $ sudo yum erase tftp-server |
| Rationale | Removing the tftp-server package decreases the risk of the accidental
(or intentional) activation of tftp services.
If TFTP is required for operational support (such as transmission of router configurations), its use must be documented with the Information Systems Securty Manager (ISSM), restricted to only authorized personnel, and have access control rules established. |
package tftp-server is removed oval:ssg-test_package_tftp-server_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_tftp-server_removed:obj:1 of type rpminfo_object
| Name |
|---|
| tftp-server |
Ensure tftp Daemon Uses Secure Mode
| Rule ID | xccdf_org.ssgproject.content_rule_tftpd_uses_secure_mode |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: 11, 12, 13, 14, 15, 16, 18, 3, 5, 8, 9, APO01.06, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(b), AC-6, CM-7(a), PR.AC-3, PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, OL08-00-040350, SV-248902r780272_rule |
| Description | If running the Trivial File Transfer Protocol (TFTP) service is necessary,
it should be configured to change its root directory at startup. To do so,
ensure /etc/xinetd.d/tftp includes -s as a command line argument,
as shown in the following example:
server_args = -s /var/lib/tftpboot |
| Rationale | Using the -s option causes the TFTP service to only serve files from the
given directory. Serving files from an intentionally-specified directory
reduces the risk of sharing files which should remain private. |
Enable the Hardware RNG Entropy Gatherer Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_rngd_enabled |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | low |
| Identifiers and References | References: CCI-000366, FCS_RBG_EXT.1, SRG-OS-000480-GPOS-00227, OL08-00-010471, SV-248599r917910_rule |
| Description | The Hardware RNG Entropy Gatherer service should be enabled.
The rngd service can be enabled with the following command:
$ sudo systemctl enable rngd.service |
| Rationale | The rngd service
feeds random data from hardware device to kernel random device. |
Set SSH Client Alive Count Max to zero
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0 |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, 5.5.6, APO13.01, BAI03.01, BAI03.02, BAI03.03, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.1.11, CCI-000879, CCI-001133, CCI-002361, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.14.1.1, A.14.2.1, A.14.2.5, A.18.1.4, A.6.1.2, A.6.1.5, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.3, CIP-007-3 R5.1, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, AC-2(5), AC-12, AC-17(a), SC-10, CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.IP-2, Req-8.1.8, 8.2.8, SRG-OS-000126-GPOS-00066, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109, OL08-00-010200, SV-248552r917896_rule |
| Description | The SSH server sends at most ClientAliveCountMax messages
during a SSH session and waits for a response from the SSH client.
The option ClientAliveInterval configures timeout after
each ClientAliveCountMax message. If the SSH server does not
receive a response from the client, then the connection is considered unresponsive
and terminated.
To ensure the SSH timeout occurs precisely when the
ClientAliveInterval is set, set the ClientAliveCountMax to
value of 0 in
/etc/ssh/sshd_config: |
| Rationale | This ensures a user login will be terminated as soon as the ClientAliveInterval
is reached. |
Set SSH Client Alive Interval
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: BP28(R29), 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, 5.5.6, APO13.01, BAI03.01, BAI03.02, BAI03.03, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.1.11, CCI-000879, CCI-001133, CCI-002361, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.14.1.1, A.14.2.1, A.14.2.5, A.18.1.4, A.6.1.2, A.6.1.5, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.3, CIP-007-3 R5.1, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, CM-6(a), AC-17(a), AC-2(5), AC-12, AC-17(a), SC-10, CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.IP-2, Req-8.1.8, 8.2.8, SRG-OS-000126-GPOS-00066, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109, SRG-OS-000395-GPOS-00175, OL08-00-010201, SV-248553r917899_rule |
| Description | SSH allows administrators to set a network responsiveness timeout interval.
After this interval has passed, the unresponsive client will be automatically logged out.
To set this timeout interval, edit the following line in /etc/ssh/sshd_config as
follows:
ClientAliveInterval 600 The timeout interval is given in seconds. For example, have a timeout of 10 minutes, set interval to 600. If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made in /etc/ssh/sshd_config. Keep in mind that
some processes may stop SSH from correctly detecting that the user is idle. |
| Rationale | Terminating an idle ssh session within a short time period reduces the window of
opportunity for unauthorized personnel to take control of a management session
enabled on the console or console port that has been let unattended. |
| Warnings | warning
SSH disconnecting unresponsive clients will not have desired effect without also
configuring ClientAliveCountMax in the SSH service configuration. warning
Following conditions may prevent the SSH session to time out:
|
Disable SSH Access via Empty Passwords
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | high |
| Identifiers and References | References: NT007(R17), 11, 12, 13, 14, 15, 16, 18, 3, 5, 9, 5.5.6, APO01.06, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, 3.1.1, 3.1.5, CCI-000366, CCI-000766, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.AC-4, PR.AC-6, PR.DS-5, PR.IP-1, PR.PT-3, FIA_UAU.1, Req-2.2.4, 2.2.6, SRG-OS-000106-GPOS-00053, SRG-OS-000480-GPOS-00229, SRG-OS-000480-GPOS-00227, OL08-00-020330, SV-248714r858582_rule |
| Description | Disallow SSH login with empty passwords.
The default SSH configuration disables logins with empty passwords. The appropriate
configuration is used if no value is set for PermitEmptyPasswords.
To explicitly disallow SSH login from accounts with empty passwords, add or correct the following line in /etc/ssh/sshd_config:
PermitEmptyPasswords noAny accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords. |
| Rationale | Configuring this setting for the SSH daemon provides additional assurance
that remote login via SSH will require a password, even in the event of
misconfiguration elsewhere. |
Disable GSSAPI Authentication
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.12, CCI-000318, CCI-000368, CCI-001812, CCI-001813, CCI-001814, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, 0418, 1055, 1402, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-7(a), CM-7(b), CM-6(a), AC-17(a), PR.IP-1, FTP_ITC_EXT.1, FCS_SSH_EXT.1.2, SRG-OS-000364-GPOS-00151, SRG-OS-000480-GPOS-00227, OL08-00-010522, SV-248607r858576_rule |
| Description | Unless needed, SSH should not permit extraneous or unnecessary
authentication mechanisms like GSSAPI.
The default SSH configuration disallows authentications based on GSSAPI. The appropriate configuration is used if no value is set for GSSAPIAuthentication.
To explicitly disable GSSAPI authentication, add or correct the following line in /etc/ssh/sshd_config:
GSSAPIAuthentication no |
| Rationale | GSSAPI authentication is used to provide additional authentication mechanisms to
applications. Allowing GSSAPI authentication through SSH exposes the system's
GSSAPI to remote hosts, increasing the attack surface of the system. |
Disable Kerberos Authentication
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.12, CCI-000318, CCI-000368, CCI-001812, CCI-001813, CCI-001814, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.IP-1, FTP_ITC_EXT.1, FCS_SSH_EXT.1.2, SRG-OS-000364-GPOS-00151, SRG-OS-000480-GPOS-00227, OL08-00-010521, SV-248606r858574_rule |
| Description | Unless needed, SSH should not permit extraneous or unnecessary
authentication mechanisms like Kerberos.
The default SSH configuration disallows authentication validation through Kerberos. The appropriate configuration is used if no value is set for KerberosAuthentication.
To explicitly disable Kerberos authentication, add or correct the following line in /etc/ssh/sshd_config:
KerberosAuthentication no |
| Rationale | Kerberos authentication for SSH is often implemented using GSSAPI. If Kerberos
is enabled through SSH, the SSH daemon provides a means of access to the
system's Kerberos implementation.
Configuring these settings for the SSH daemon provides additional assurance that remote logon via SSH will not use unused methods of authentication, even in the event of misconfiguration elsewhere. |
Disable SSH Root Login
Disable SSH Support for User Known Hosts
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: 11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.12, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.IP-1, FIA_UAU.1, SRG-OS-000480-GPOS-00227, OL08-00-010520, SV-248605r858572_rule |
| Description | SSH can allow system users to connect to systems if a cache of the remote
systems public keys is available. This should be disabled.
To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config:
IgnoreUserKnownHosts yes |
| Rationale | Configuring this setting for the SSH daemon provides additional
assurance that remote login via SSH will require a password, even
in the event of misconfiguration elsewhere. |
Disable X11 Forwarding
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000366, CM-6(b), 2.2.4, SRG-OS-000480-GPOS-00227, OL08-00-040340, SV-248900r858588_rule |
| Description | The X11Forwarding parameter provides the ability to tunnel X11 traffic
through the connection to enable remote graphic connections.
SSH has the capability to encrypt remote X11 connections when SSH's
X11Forwarding option is enabled.
The default SSH configuration disables X11Forwarding. The appropriate configuration is used if no value is set for X11Forwarding.
To explicitly disable X11 Forwarding, add or correct the following line in /etc/ssh/sshd_config:
X11Forwarding no |
| Rationale | Disable X11 forwarding unless there is an operational requirement to use X11
applications directly. There is a small risk that the remote X11 servers of
users who are logged in via SSH with X11 forwarding could be compromised by
other users on the X11 server. Note that even if X11 forwarding is disabled,
users can always install their own forwarders. |
Do Not Allow SSH Environment Options
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | high |
| Identifiers and References | References: 11, 3, 9, 5.5.6, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.12, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.IP-1, Req-2.2.4, 2.2.6, SRG-OS-000480-GPOS-00229, OL08-00-010830, SV-248650r877377_rule |
| Description | Ensure that users are not able to override environment variables of the SSH daemon.
The default SSH configuration disables environment processing. The appropriate configuration is used if no value is set for PermitUserEnvironment.
To explicitly disable Environment options, add or correct the following /etc/ssh/sshd_config:
PermitUserEnvironment no |
| Rationale | SSH environment options potentially allow users to bypass
access restriction in some configurations. |
Enable Use of Strict Mode Checking
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.1.12, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-6, AC-17(a), CM-6(a), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, OL08-00-010500, SV-248603r858568_rule |
| Description | SSHs StrictModes option checks file and ownership permissions in
the user's home directory .ssh folder before accepting login. If world-
writable permissions are found, logon is rejected.
The default SSH configuration has StrictModes enabled. The appropriate
configuration is used if no value is set for StrictModes.
To explicitly enable StrictModes in SSH, add or correct the following line in
/etc/ssh/sshd_config:
StrictModes yes |
| Rationale | If other users have access to modify user-specific SSH configuration files, they
may be able to log into the system as another user. |
Enable SSH Print Last Log
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_print_last_log |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, CCI-000052, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-9, AC-9(1), PR.AC-7, SRG-OS-000480-GPOS-00227, OL08-00-020350, SV-248718r858584_rule |
| Description | Ensure that SSH will display the date and time of the last successful account logon.
The default SSH configuration enables print of the date and time of the last login. The appropriate configuration is used if no value is set for PrintLastLog.
To explicitly enable LastLog in SSH, add or correct the following line in /etc/ssh/sshd_config:
PrintLastLog yes |
| Rationale | Providing users feedback on when account accesses last occurred facilitates user
recognition and reporting of unauthorized account use. |
Force frequent session key renegotiation
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_rekey_limit |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000068, FCS_SSH_EXT.1.8, SRG-OS-000480-GPOS-00227, SRG-OS-000033-GPOS-00014, OL08-00-040161, SV-248868r877398_rule |
| Description | The RekeyLimit parameter specifies how often
the session key of the is renegotiated, both in terms of
amount of data that may be transmitted and the time
elapsed.To decrease the default limits, add or correct the following line in /etc/ssh/sshd_config:
RekeyLimit 1G 1h |
| Rationale | By decreasing the limit based on the amount of data and enabling
time-based limit, effects of potential attacks against
encryption keys are limited. |
Use Only FIPS 140-2 Validated Key Exchange Algorithms
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_use_approved_kex_ordered_stig |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-001453, AC-17(2), SRG-OS-000250-GPOS-00093, OL08-00-040342, SV-255898r917916_rule |
| Description | Limit the key exchange algorithms to those which are FIPS-approved.
Add or modify the following line in /etc/crypto-policies/back-ends/opensshserver.config
CRYPTO_POLICY='-oKexAlgorithms=ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512'This rule ensures that only the key exchange algorithms mentioned above (or their subset) are configured for use, keeping the given order of algorithms. |
| Rationale | DoD information systems are required to use FIPS-approved key exchange algorithms.
The system will attempt to use the first algorithm presented by the client that matches
the server list. Listing the values "strongest to weakest" is a method to ensure the use
of the strongest algorithm available to secure the SSH connection. |
| Warnings | warning
The system needs to be rebooted for these changes to take effect. warning
This rule doesn't come with a remediation, automatically changing the crypto-policies may be too disruptive. warning
System crypto modules must be provided by a vendor that undergoes
FIPS-140 certifications.
FIPS-140 is applicable to all Federal agencies that use
cryptographic-based security systems to protect sensitive information
in computer and telecommunication systems (including voice systems) as
defined in Section 5131 of the Information Technology Management Reform
Act of 1996, Public Law 104-106. This standard shall be used in
designing and implementing cryptographic modules that Federal
departments and agencies operate or are operated for them under
contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf
To meet this requirements, the system has to have cryptographic software
provided by a vendor that has undergone this certification. This means
providing documentation, test results, design information, and independent
third party review by an accredited lab. While open source software is
capable of meeting this, it does not meet FIPS-140 unless the vendor
submits to this process. |
SSH server uses strong entropy to seed
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_use_strong_rng |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | low |
| Identifiers and References | References: CCI-000366, FCS_RBG_EXT.1.2, SRG-OS-000480-GPOS-00232, SRG-OS-000480-GPOS-00227, OL08-00-010292, SV-248563r779255_rule |
| Description | To set up SSH server to use entropy from a high-quality source, edit the /etc/sysconfig/sshd file.
The SSH_USE_STRONG_RNG configuration value determines how many bytes of entropy to use, so
make sure that the file contains line
SSH_USE_STRONG_RNG=32 |
| Rationale | SSH implementation in Oracle Linux 8 uses the openssl library, which doesn't use
high-entropy sources by default. Randomness is needed to generate data-encryption keys, and as
plaintext padding and initialization vectors in encryption algorithms, and high-quality
entropy elliminates the possibility that the output of the random number generator used by SSH
would be known to potential attackers. |
| Warnings | warning
This setting can cause problems on computers without the hardware random generator, because insufficient entropy causes the connection to be blocked until enough entropy is available. |
Prevent remote hosts from connecting to the proxy display
| Rule ID | xccdf_org.ssgproject.content_rule_sshd_x11_use_localhost |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000366, CM-6(b), SRG-OS-000480-GPOS-00227, OL08-00-040341, SV-248901r858590_rule |
| Description | The SSH daemon should prevent remote hosts from connecting to the proxy
display.
The default SSH configuration for X11UseLocalhost is yes,
which prevents remote hosts from connecting to the proxy display.
To explicitly prevent remote connections to the proxy display, add or correct the following line in /etc/ssh/sshd_config:
X11UseLocalhost yes |
| Rationale | When X11 forwarding is enabled, there may be additional exposure to the
server and client displays if the sshd proxy display is configured to listen
on the wildcard address. By default, sshd binds the forwarding server to the
loopback address and sets the hostname part of the DISPLAY
environment variable to localhost. This prevents remote hosts from
connecting to the proxy display. |
Install the OpenSSH Server Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_openssh-server_installed |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: 13, 14, APO01.06, DSS05.02, DSS05.04, DSS05.07, DSS06.02, DSS06.06, CCI-002418, CCI-002420, CCI-002421, CCI-002422, SR 3.1, SR 3.8, SR 4.1, SR 4.2, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), PR.DS-2, PR.DS-5, FIA_UAU.5, FTP_ITC_EXT.1, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190, OL08-00-040159, SV-248866r916422_rule |
| Description | The openssh-server package should be installed.
The openssh-server package can be installed with the following command:
$ sudo yum install openssh-server |
| Rationale | Without protection of the transmitted information, confidentiality, and
integrity may be compromised because unprotected communications can be
intercepted and either read or altered. |
Enable the OpenSSH Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_sshd_enabled |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: 13, 14, APO01.06, DSS05.02, DSS05.04, DSS05.07, DSS06.02, DSS06.06, 3.1.13, 3.5.4, 3.13.8, CCI-002418, CCI-002420, CCI-002421, CCI-002422, SR 3.1, SR 3.8, SR 4.1, SR 4.2, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), SC-8, SC-8(1), SC-8(2), SC-8(3), SC-8(4), PR.DS-2, PR.DS-5, SRG-OS-000423-GPOS-00187, SRG-OS-000424-GPOS-00188, SRG-OS-000425-GPOS-00189, SRG-OS-000426-GPOS-00190, OL08-00-040160, SV-248867r916422_rule |
| Description | The SSH server service, sshd, is commonly needed.
The sshd service can be enabled with the following command:
$ sudo systemctl enable sshd.service |
| Rationale | Without protection of the transmitted information, confidentiality, and
integrity may be compromised because unprotected communications can be
intercepted and either read or altered.
This checklist item applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, etc). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. |
OpenSSH Service Must Use Passcode for Their Private Keys
| Rule ID | xccdf_org.ssgproject.content_rule_ssh_private_keys_have_passcode |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000186, IA-5(2), IA-5(2).1, SRG-OS-000067-GPOS-00035, OL08-00-010100, SV-248532r779162_rule |
| Description | Verify the SSH private key files have a passcode.
For each private key stored on the system, use the following command:
$ sudo ssh-keygen -y -f /path/to/fileIf the contents of the key are displayed, without asking a passphrase this is a finding. |
| Rationale | If an unauthorized user obtains access to a private key without a passcode, that user would
have unauthorized access to any system where the associated public key has been installed. |
Certificate status checking in SSSD
| Rule ID | xccdf_org.ssgproject.content_rule_sssd_certificate_verification |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-001948, CCI-001954, IA-2(11), SRG-OS-000375-GPOS-00160, SRG-OS-000377-GPOS-00162, OL08-00-010400, SV-248587r860917_rule |
| Description | Multifactor solutions that require devices separate from information systems gaining access include,
for example, hardware tokens providing time-based or challenge-response authenticators and smart cards.
Configuring certificate_verification to ocsp_dgst=sha1 ensures that certificates for
multifactor solutions are checked via Online Certificate Status Protocol (OCSP). |
| Rationale | Ensuring that multifactor solutions certificates are checked via Online Certificate Status Protocol (OCSP)
ensures the security of the system. |
Enable Certmap in SSSD
| Rule ID | xccdf_org.ssgproject.content_rule_sssd_enable_certmap |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000187, IA-5 (2) (c), SRG-OS-000068-GPOS-00036, OL08-00-020090, SV-248685r858606_rule |
| Description | SSSD should be configured to verify the certificate of the user or group. To set this up
ensure that section like certmap/testing.test/rule_name is setup in
/etc/sssd/sssd.conf. For example
[certmap/testing.test/rule_name]
matchrule =<SAN>.*EDIPI@mil
maprule = (userCertificate;binary={cert!bin})
domains = testing.test
|
| Rationale | Without mapping the certificate used to authenticate to the user account, the ability to
determine the identity of the individual user or group will not be available for forensic
analysis. |
| Warnings | warning
Automatic remediation of this control is not available, since all of the settings in
in the certmap need to be customized. |
Enable Smartcards in SSSD
| Rule ID | xccdf_org.ssgproject.content_rule_sssd_enable_smartcards |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-001954, CCI-000765, CCI-000766, CCI-000767, CCI-000768, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, Req-8.3, 8.4, SRG-OS-000375-GPOS-00160, SRG-OS-000105-GPOS-00052, SRG-OS-000106-GPOS-00053, SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055, OL08-00-020250, SV-248702r779672_rule |
| Description | SSSD should be configured to authenticate access to the system using smart cards.
To enable smart cards in SSSD, set pam_cert_auth to True under the
[pam] section in /etc/sssd/sssd.conf. For example:
[pam] pam_cert_auth = TrueAdd or update "pam_sss.so" line in auth section of "/etc/pam.d/system-auth" file to include "try_cert_auth" or "require_cert_auth" option, like in the following example: /etc/pam.d/system-auth:auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_authAlso add or update "pam_sss.so" line in auth section of "/etc/pam.d/smartcard-auth" file to include the "allow_missing_name" option, like in the following example: /etc/pam.d/smartcard-auth:auth sufficient pam_sss.so allow_missing_name |
| Rationale | Using an authentication device, such as a CAC or token that is separate from
the information system, ensures that even if the information system is
compromised, that compromise will not affect credentials stored on the
authentication device.
Multi-Factor Authentication (MFA) solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD Common Access Card. |
SSSD Has a Correct Trust Anchor
| Rule ID | xccdf_org.ssgproject.content_rule_sssd_has_trust_anchor |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000185, IA-5 (2) (a), SRG-OS-000066-GPOS-00034, SRG-OS-000384-GPOS-00167, OL08-00-010090, SV-248531r860907_rule |
| Description | SSSD must have acceptable trust anchor present. |
| Rationale | Without path validation, an informed trust decision by the relying party cannot be made when
presented with any certificate not already explicitly trusted.
A trust anchor is an authoritative entity represented via a public key and associated data. It
is used in the context of public key infrastructures, X.509 digital certificates, and DNSSEC.
When there is a chain of trust, usually the top entity to be trusted becomes the trust anchor;
it can be, for example, a Certification Authority (CA). A certification path starts with the
subject certificate and proceeds through a number of intermediate certificates up to a trusted
root certificate, typically issued by a trusted CA.
This requirement verifies that a certification path to an accepted trust anchor is used for
certificate validation and that the path includes status information. Path validation is
necessary for a relying party to make an informed trust decision when presented with any
certificate not already explicitly trusted. Status information for certification paths includes
certificate revocation lists or online certificate status protocol responses.
Validation of the certificate status information is out of scope for this requirement. |
| Warnings | warning
Automatic remediation of this control is not available. |
Configure SSSD to Expire Offline Credentials
| Rule ID | xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: 1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-002007, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), IA-5(13), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000383-GPOS-00166, OL08-00-020290, SV-248710r853793_rule |
| Description | SSSD should be configured to expire offline credentials after 1 day.
Check if SSSD allows cached authentications with the following command:
$ sudo grep cache_credentials /etc/sssd/sssd.conf cache_credentials = trueIf "cache_credentials" is set to "false" or is missing no further checks are required. To configure SSSD to expire offline credentials, set offline_credentials_expiration to 1 under the [pam]
section in /etc/sssd/sssd.conf. For example:
[pam] offline_credentials_expiration = 1 |
| Rationale | If cached authentication information is out-of-date, the validity of the
authentication information may be questionable. |
Install usbguard Package
| Rule ID | xccdf_org.ssgproject.content_rule_package_usbguard_installed |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-001958, 1418, CM-8(3), IA-3, SRG-OS-000378-GPOS-00163, OL08-00-040139, SV-248862r853871_rule |
| Description |
The usbguard package can be installed with the following command:
$ sudo yum install usbguard |
| Rationale | usbguard is a software framework that helps to protect
against rogue USB devices by implementing basic whitelisting/blacklisting
capabilities based on USB device attributes. |
Enable the USBGuard Service
| Rule ID | xccdf_org.ssgproject.content_rule_service_usbguard_enabled |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000416, CCI-001958, 1418, CM-8(3)(a), IA-3, FMT_SMF_EXT.1, SRG-OS-000378-GPOS-00163, OL08-00-040141, SV-248864r853873_rule |
| Description | The USBGuard service should be enabled.
The usbguard service can be enabled with the following command:
$ sudo systemctl enable usbguard.service |
| Rationale | The usbguard service must be running in order to
enforce the USB device authorization policy for all USB devices. |
Log USBGuard daemon audit events using Linux Audit
| Rule ID | xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | low |
| Identifiers and References | References: CCI-000169, CCI-000172, AU-2, CM-8(3), IA-3, FMT_SMF_EXT.1, SRG-OS-000062-GPOS-00031, SRG-OS-000471-GPOS-00215, SRG-APP-000141-CTR-000315, OL08-00-030603, SV-248805r779981_rule |
| Description | To configure USBGuard daemon to log via Linux Audit
(as opposed directly to a file),
AuditBackend option in /etc/usbguard/usbguard-daemon.conf
needs to be set to LinuxAudit. |
| Rationale | Using the Linux Audit logging allows for centralized trace
of events. |
Generate USBGuard Policy
| Rule ID | xccdf_org.ssgproject.content_rule_usbguard_generate_policy |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000416, CCI-001958, CM-8(3)(a), IA-3, FMT_SMF_EXT.1, SRG-OS-000378-GPOS-00163, OL08-00-040140, SV-248863r853872_rule |
| Description | By default USBGuard when enabled prevents access to all USB devices and this lead
to inaccessible system if they use USB mouse/keyboard. To prevent this scenario,
the initial policy configuration must be generated based on current connected USB
devices. |
| Rationale | The usbguard must be configured to allow connected USB devices to work
properly, avoiding the system to become inaccessible. |
Disable graphical user interface
| Rule ID | xccdf_org.ssgproject.content_rule_xwindows_remove_packages |
| Result | pass |
| Multi-check rule | no |
| OVAL Definition ID | oval:ssg-xwindows_remove_packages:def:1 |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: CCI-000366, CM-6(b), SRG-OS-000480-GPOS-00227, OL08-00-040320, SV-248898r780260_rule |
| Description | By removing the following packages, the system no longer has X Windows installed.
xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland
If X Windows is not installed then the system cannot boot into graphical user mode.
This prevents the system from being accidentally or maliciously booted into a graphical.target
mode. To do so, run the following command:
sudo yum remove xorg-x11-server-Xorg xorg-x11-server-common xorg-x11-server-utils xorg-x11-server-Xwayland |
| Rationale | Unnecessary service packages must not be installed to decrease the attack surface of the system. X windows has a long history of security
vulnerabilities and should not be installed unless approved and documented. |
| Warnings | warning
The installation and use of a Graphical User Interface (GUI) increases your attack vector and decreases your
overall security posture. Removing the package xorg-x11-server-common package will remove the graphical target
which might bring your system to an inconsistent state requiring additional configuration to access the system
again.
The rule xwindows_runlevel_target can be used to configure the system to boot into the multi-user.target.
If a GUI is an operational requirement, a tailored profile that removes this rule should be used before
continuing installation. |
package xorg-x11-server-Xorg is removed oval:ssg-package_xorg-x11-server-Xorg_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_package_xorg-x11-server-Xorg_removed:obj:1 of type rpminfo_object
| Name |
|---|
| xorg-x11-server-Xorg |
package xorg-x11-server-common is removed oval:ssg-test_package_xorg-x11-server-common_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_xorg-x11-server-common_removed:obj:1 of type rpminfo_object
| Name |
|---|
| xorg-x11-server-common |
package xorg-x11-server-utils is removed oval:ssg-package_xorg-x11-server-utils_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_package_xorg-x11-server-utils_removed:obj:1 of type rpminfo_object
| Name |
|---|
| xorg-x11-server-utils |
package xorg-x11-server-Xwayland is removed oval:ssg-package_xorg-x11-server-Xwayland_removed:tst:1 true
No items have been found conforming to the following objects:
Object oval:ssg-obj_package_xorg-x11-server-Xwayland_removed:obj:1 of type rpminfo_object
| Name |
|---|
| xorg-x11-server-Xwayland |
Disable X Windows Startup By Setting Default Target
| Rule ID | xccdf_org.ssgproject.content_rule_xwindows_runlevel_target |
| Result | notapplicable |
| Multi-check rule | no |
| Time | 2023-12-18T23:47:57+00:00 |
| Severity | medium |
| Identifiers and References | References: 12, 15, 8, APO13.01, DSS01.04, DSS05.02, DSS05.03, CCI-000366, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.PT-4, SRG-OS-000480-GPOS-00227, OL08-00-040321, SV-252663r818785_rule |
| Description | Systems that do not require a graphical user interface should only boot by
default into multi-user.target mode. This prevents accidental booting of the system
into a graphical.target mode. Setting the system's default target to
multi-user.target will prevent automatic startup of the X server. To do so, run:
$ systemctl set-default multi-user.targetYou should see the following output: Removed symlink /etc/systemd/system/default.target. Created symlink from /etc/systemd/system/default.target to /usr/lib/systemd/system/multi-user.target. |
| Rationale | Services that are not required for system and application processes
must not be active to decrease the attack surface of the system. X windows has a
long history of security vulnerabilities and should not be used unless approved
and documented. |